Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe
Analysis ID: 1396489
MD5: b1c4be84e40e10b9ff3eb14074b402af
SHA1: c792a0dc991474d0d5feba031983f67e6efc35fd
SHA256: e0324f9407031cdea025049097bf0d30a80f02eeb6e04a5d1d4a21eb8d703bc3
Tags: exe
Infos:

Detection

Amadey, RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Yara detected Amadeys stealer DLL
Yara detected RisePro Stealer
Binary is likely a compiled AutoIt script file
Creates multiple autostart registry keys
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sleep loop found (likely to delay execution)
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://185.215.113.46/mine/plaza.exeZ Avira URL Cloud: Label: malware
Source: http://185.215.113.46/cost/ladR Avira URL Cloud: Label: malware
Source: http://185.215.113.46/mine/plaza.exeB Avira URL Cloud: Label: malware
Source: http://185.215.113.46/mine/plaza.exeR Avira URL Cloud: Label: malware
Source: http://185.215.113.46/mine/plaza.exe? Avira URL Cloud: Label: malware
Source: http://185.215.113.46/mine/plaza.exe Avira URL Cloud: Label: malware
Source: http://185.215.113.46/mine/plaza.exeD Avira URL Cloud: Label: malware
Source: http://185.215.113.46/mine/plaza.exe$ Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 55%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0008FFC0 CryptUnprotectData,CryptUnprotectData, 0_2_0008FFC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0008FEE0 CryptUnprotectData,CryptUnprotectData, 0_2_0008FEE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005DFFC0 CryptUnprotectData,CryptUnprotectData, 6_2_005DFFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005DFEE0 CryptUnprotectData,CryptUnprotectData, 6_2_005DFEE0
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0007C050 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,__Mtx_unlock, 0_2_0007C050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0014B4E5 recv,FindFirstFileExW, 0_2_0014B4E5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\SafetyTips\
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\
Source: firefox.exe Memory has grown: Private usage: 1MB later: 96MB
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.46 185.215.113.46
Source: Joe Sandbox View IP Address: 185.215.113.46 185.215.113.46
Source: Joe Sandbox View IP Address: 162.159.61.3 162.159.61.3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0008DBB0 recv,WSAStartup,closesocket,socket,connect,closesocket, 0_2_0008DBB0
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2404039385.00000238B1FE0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2981895810.000002DDD74F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000021.00000002.2404039385.00000238B1FE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.comc equals www.youtube.com (Youtube)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001438000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000024.00000002.2401861190.0000021E27E70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000027.00000002.2409258603.0000022608EF0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com --attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2982819503.000002DDD7703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: "_https://www.facebook.com equals www.facebook.com (Facebook)
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: &_https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000024.00000002.2404026926.0000021E29B8D000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000024.00000003.2398551157.0000021E29B8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: '7n7https://www.facebook.com/video --attempting-deelevationUser equals www.facebook.com (Facebook)
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: '_https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://connect.facebook.net/*/all.js**://www.google-analytics.com/analytics.js**://*.imgur.io/js/vendor.*.bundle.js*://www.everestjs.net/static/st.v3.js*https://smartblock.firefox.etp/facebook.svg*://pub.doubleverify.com/signals/pub.js**://www.google-analytics.com/gtm/js**://www.googletagmanager.com/gtm.js**://www.google-analytics.com/plugins/ua/ec.js*://libs.coremetrics.com/eluminate.js*://ssl.google-analytics.com/ga.js*://s0.2mdn.net/instream/html5/ima3.js*://web-assets.toggl.com/app/assets/scripts/*.js@mozilla.org/addons/addon-manager-startup;1*://*.imgur.com/js/vendor.*.bundle.js*://www.rva311.com/static/js/main.*.chunk.jswebcompat-reporter%40mozilla.org:1.5.1*://static.criteo.net/js/ld/publishertag.js*://static.chartbeat.com/js/chartbeat.jsresource://gre/modules/addons/XPIProvider.jsmresource://gre/modules/FileUtils.sys.mjsFileUtils_closeAtomicFileOutputStreamhttps://smartblock.firefox.etp/play.svg*://track.adform.net/serving/scripts/trackpoint/*://static.chartbeat.com/js/chartbeat_video.js*://c.amazon-adsystem.com/aax2/apstag.jspictureinpicture%40mozilla.org:1.0.0*://auth.9c9media.ca/auth/main.js*://cdn.branch.io/branch-latest.min.js**://connect.facebook.net/*/sdk.js*FileUtils_closeSafeFileOutputStreamwebcompat-reporter@mozilla.org.xpi*://www.googletagservices.com/tag/js/gpt.js*sessionstore-final-state-write-complete equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2986469421.000002DDD9A4F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: +www.youtube.com'# equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000003.2639381332.000002DDF1AFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: +~predictor-origin,:https://www.youtube.com/predictor::seen1 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000003.2639381332.000002DDF1AFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ,~predictor-origin,:https://www.facebook.com/predictor::seen1 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A09000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Wikipedia&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Reddit&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Twitter&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 00000028.00000002.2981672606.000002DDD74B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: -os-restarted https://www.youtube.comH equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000003.2756544128.000002DDF1476000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2678416446.000002DDF1476000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2555599724.000002DDF1A77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: .S........[tlsflags0x00000000]www.facebook.com:443^partitionKey=%28https%2Cfacebook.com%29 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3072152762.000002DDEBB3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2715644142.000002DDF05FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3085387408.000002DDF05FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: .S........[tlsflags0x00000000]www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 0_https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000003.2395489351.00000238B3BAC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000021.00000002.2406898794.00000238B3BAF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 0`0https://www.youtube.com --attempting-deelevationUser equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 17085472254160_https://www.facebook.com equals www.facebook.com (Facebook)
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 1_https://www.facebook.com equals www.facebook.com (Facebook)
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 4_https://www.facebook.com equals www.facebook.com (Facebook)
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 6_https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3036141911.000002DDE9072000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3082022232.000002DDEF8B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8:https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3072152762.000002DDEBB3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3082022232.000002DDEF8B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8:https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000003.2690557482.000002DDF1BAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3072152762.000002DDEBB3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3053307784.000002DDEA622000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000003.2690557482.000002DDF1BAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3064080427.000002DDEB522000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3072152762.000002DDEBBC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3064080427.000002DDEB522000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3064080427.000002DDEB57D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA45F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3002620344.000002DDE4941000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3072152762.000002DDEBB7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3036141911.000002DDE9072000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3037738981.000002DDE9313000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3082022232.000002DDEF8BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3072152762.000002DDEBB3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3026750496.000002DDE8679000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3024860188.000002DDE85C8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000003.2755437096.000002DDF1513000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3072152762.000002DDEBB3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3072152762.000002DDEBB7F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8~predictor-origin,:https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3072152762.000002DDEBB3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8~predictor-origin,:https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 9_https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3036141911.000002DDE9072000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3082022232.000002DDEF8B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: :https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3072152762.000002DDEBB3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3082022232.000002DDEF8B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: :https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: <_https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000002C.00000002.3071324238.00000213869EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.facebook.com/videoMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000003.2408279262.000002DDD9AA1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3001552207.000002DDE470F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2409610072.000002DDD9AA1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: =::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCMOZ_CRASHREPORTER_DATA_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash ReportsMOZ_CRASHREPORTER_EVENTS_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\eventsMOZ_CRASHREPORTER_PING_DIRECTORY=C:\Users\user\AppData\Roaming\Mozilla\Firefox\Pending PingsMOZ_CRASHREPORTER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.comMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files\Mozilla Firefox\browser\crashreporter-override.iniNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files\Mozilla Firefox;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2974177068.000000EB8183C000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2974448026.000000EB818BC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: ?www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2974177068.000000EB8183C000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2974448026.000000EB818BC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: ?www.facebook.com:443: equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2974243248.000000EB8187C000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2974575917.000000EB81A3C000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: ?www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2974243248.000000EB8187C000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2974575917.000000EB81A3C000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: ?www.youtube.com:443: equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @mozilla.org/browser/clh;1toolkit.singletonWindowTypehttps://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000024.00000002.2401861190.0000021E27E70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000002.2404039385.00000238B1FE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2981895810.000002DDD7500000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000002.2409258603.0000022608EF0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Program Files\Mozilla Firefox\firefox.exehttps://www.youtube.com--attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 00000024.00000002.2401861190.0000021E27E70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/videoC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000002.2404039385.00000238B1FE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.comC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default' equals www.youtube.com (Youtube)
Source: firefox.exe, 00000027.00000002.2409258603.0000022608EF0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com --attempting-deelevationC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2981895810.000002DDD74F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Windows\system32\C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.comC:\Program Files\Mozilla Firefox\firefox.exeWinsta0\Default equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: META:https://www.facebook.com equals www.facebook.com (Facebook)
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: META:https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000002C.00000002.3071324238.00000213869EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 0000002C.00000002.3071324238.00000213869EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.facebook.com/video* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2981895810.000002DDD7500000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2982819503.000002DDD7703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000003.2692866327.000002DDF1B9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3093798179.000002DDF1B9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: O^partitionKey=%28https%2Cfacebook.com%29,:https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3065941874.000002DDEB810000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: O^partitionKey=%28https%2Cyoutube.com%29,:https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: PREF_BRANCH_WAS_REGISTEREDgetCombined/overrideFnArray<getZOrderAppWindowEnumeratorbrowsing-context-discardedhttps://www.facebook.com/videoPREF_BRANCH_PREVIOUS_ACTIONVALIDATE_NO_DEFAULT_FILENAMEVALIDATE_FORCE_APPEND_EXTENSIONdefault-theme@mozilla.org equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3001552207.000002DDE4853000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: TER_RESTART_ARG_0=C:\Program Files\Mozilla Firefox\firefox.exeMOZ_CRASHREPORTER_RESTART_ARG_1=https://www.youtube.comMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:\Program Files`^ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4AAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4AA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A5D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A5D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4AAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: __test__1708547221126&_https://www.facebook.com equals www.facebook.com (Facebook)
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: _https://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: browser.urlbar.dnsResolveFullyQualifiedNamesdevtools-commandkey-javascript-tracing-toggledevtools-commandkey-profiler-captureresource://devtools/server/devtools-server.jsdevtools.debugger.features.javascript-tracing{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}@mozilla.org/network/protocol;1?name=defaultbrowser and that URL. Falling back to Got invalid request to save JSON dataUnable to start devtools server on Failed to listen. Listener already attached.Failed to listen. Callback argument missing.JSON Viewer's onSave failed in startPersistenceFailed to execute WebChannel callback:devtools.performance.recording.ui-base-urlWebChannel/this._originCheckCallback@mozilla.org/network/protocol;1?name=file@mozilla.org/uriloader/handler-service;1releaseDistinctSystemPrincipalLoader^(?<url>\w+:.+):(?<line>\d+):(?<column>\d+)$devtools.debugger.remote-websocketdevtools-commandkey-profiler-start-stopdevtools/client/framework/devtools-browserDevToolsStartup.jsm:handleDebuggerFlagresource://devtools/shared/security/socket.js@mozilla.org/dom/slow-script-debug;1devtools/client/framework/devtoolsDevTools telemetry entry point failed: No callback set for this channel.devtools.performance.popup.feature-flagand deploy previews URLs are allowed.browser.fixup.dns_first_for_single_wordsresource://gre/modules/JSONFile.sys.mjs_injectDefaultProtocolHandlersIfNeededhandlerSvc fillHandlerInfo: don't know this type^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]|$){c6cf88b7-452e-47eb-bdc9-86e3561648ef}Can't invoke URIFixup in the content processextractScheme/fixupChangedProtocol<http://compose.mail.yahoo.co.jp/ym/Compose?To=%sget FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPhttp://poczta.interia.pl/mh/?mailto=%shttp://win.mail.ru/cgi-bin/sentmsg?mailto=%s@mozilla.org/uriloader/local-handler-app;1@mozilla.org/uriloader/web-handler-app;1http://www.inbox.lv/rfc2368/?value=%sisDownloadsImprovementsAlreadyMigratedhttps://e.mail.ru/cgi-bin/sentmsg?mailto=%s@mozilla.org/uriloader/dbus-handler-app;1Scheme should be either http or httpshttps://mail.inbox.lv/compose?to=%sgecko.handlerService.defaultHandlersVersionhttps://mail.yahoo.co.jp/compose/?To=%s^([a-z+.-]+:\/{0,3})*([^\/@]+@).+resource://gre/modules/DeferredTask.sys.mjsresource://gre/modules/NetUtil.sys.mjs^([a-z][a-z0-9.+\t-]*)(:|;)?(\/\/)?get FIXUP_FLAG_FORCE_ALTERNATE_URI{33d75835-722f-42c0-89cc-44f328e56a86}resource://gre/modules/FileUtils.sys.mjsbrowser.fixup.domainsuffixwhitelist.https://poczta.interia.pl/mh/?mailto=%sresource://gre/modules/FileUtils.sys.mjsget FIXUP_FLAGS_MAKE_ALTERNATE_URI@mozilla.org/network/file-input-stream;1_finalizeInternal/this._finalizePromise<resource://gre/modules/JSONFile.sys.mjsMust have a source and a callback@mozilla.org/network/simple-stream-listener;1resource://gre/modules/URIFixup.sys.mjs@mozilla.org/network/input-stream-pump;1newChannel requires a single object argumentSEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULLFirst argument should be an nsIInputStream@mozilla.org/intl/converter-input-stream;1@mozilla.org/network/
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: check_quota'_https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: color-mix(in srgb, currentColor 9%, transparent)*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSThttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POSThttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000003.2690557482.000002DDF1BAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3072152762.000002DDEBB3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3040483184.000002DDE9841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000003.2690557482.000002DDF1BAE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3064080427.000002DDEB522000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3072152762.000002DDEBBC6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.00000000014B3000.00000004.00000020.00020000.00000000.sdmp, uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp, uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001438000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.00000000014B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/videoJ equals www.facebook.com (Facebook)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.00000000014B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/videoT equals www.facebook.com (Facebook)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/video[ equals www.facebook.com (Facebook)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001438000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/videog equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/videoinsertManyBookmarksWrapper equals www.facebook.com (Facebook)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001438000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/video~ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3104009587.00001435E6000000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.comZ equals www.facebook.com (Facebook)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp, uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001438000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.linkedin.com/login equals www.linkedin.com (Linkedin)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.linkedin.com/loginW equals www.linkedin.com (Linkedin)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp, uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001438000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3036141911.000002DDE9003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp, uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001438000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3037738981.000002DDE9313000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001438000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/8 equals www.youtube.com (Youtube)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001438000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/E equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3104009587.00001435E6000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3104966541.000026007F700000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/g equals www.youtube.com (Youtube)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/l equals www.youtube.com (Youtube)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp, uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.00000000014C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com9 equals www.youtube.com (Youtube)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.comE equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2982819503.000002DDD770C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.comMOZ_CRASHREPORTER_RESTART_ARG_2= equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/lib/about_compat_broker.jsBoolean used to determine if the results defined in `exposureResults` should be shown in search results. Should be false for Control branch of an experiment.[{incognito:null, tabId:null, types:["main_frame"], urls:["*://login.microsoftonline.com/*", "*://login.microsoftonline.us/*"], windowId:null}, ["blocking"]]An accountState promise was rejected, but we are ignoring that reason and rejecting it due to a different user being signed in. Originally rejected withhttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/lib/about_compat_broker.jsBoolean used to determine if the results defined in `exposureResults` should be shown in search results. Should be false for Control branch of an experiment.[{incognito:null, tabId:null, types:["main_frame"], urls:["*://login.microsoftonline.com/*", "*://login.microsoftonline.us/*"], windowId:null}, ["blocking"]]An accountState promise was rejected, but we are ignoring that reason and rejecting it due to a different user being signed in. Originally rejected withhttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/lib/about_compat_broker.jsBoolean used to determine if the results defined in `exposureResults` should be shown in search results. Should be false for Control branch of an experiment.[{incognito:null, tabId:null, types:["main_frame"], urls:["*://login.microsoftonline.com/*", "*://login.microsoftonline.us/*"], windowId:null}, ["blocking"]]An accountState promise was rejected, but we are ignoring that reason and rejecting it due to a different user being signed in. Originally rejected withhttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: mutex_banzai9_https://www.facebook.com equals www.facebook.com (Facebook)
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: mutex_falco_queue_critical^$^$<_https://www.facebook.com equals www.facebook.com (Facebook)
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: mutex_falco_queue_immediately^$^$4_https://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2982819503.000002DDD7703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: offsetshttps://www.youtube.com`Pp equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: resource://search-extensions/amazondotcom/*://*.adsafeprotected.com/jsvid?*color-mix(in srgb, currentColor 9%, transparent)*://www.facebook.com/platform/impression.php**://ads.stickyadstv.com/user-matching**://*.adsafeprotected.com/*/imp/**://*.adsafeprotected.com/*/Serving/*sessionstore-restoring-on-startup equals www.facebook.com (Facebook)
Source: firefox.exe, 00000024.00000002.2401861190.0000021E27E91000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000024.00000003.2398361741.0000021E27E8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s://www.facebook.com/video --attempting-deelevation equals www.facebook.com (Facebook)
Source: firefox.exe, 00000021.00000002.2404039385.00000238B1FE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s://www.youtube.com --attempting-deelevation equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3065941874.000002DDEB810000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3070139081.000002DDEBA74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: tlsflags0x00000000:www.facebook.com:443^partitionKey=%28https%2Cfacebook.com%29 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3072152762.000002DDEBB3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3091457545.000002DDF1797000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2644297894.000002DDF17B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: tlsflags0x00000000:www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: urlclassifier.downloadBlockTablehttps://www.facebook.com/video equals www.facebook.com (Facebook)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: vhttps://www.youtube.com/ equals www.youtube.com (Youtube)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3104009587.00001435E6000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3026750496.000002DDE8679000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.facebook.com-b equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.2974177068.000000EB8183C000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2974448026.000000EB818BC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: www.facebook.com:443: equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3104009587.00001435E6000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3104966541.000026007F700000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com8 equals www.linkedin.com (Linkedin)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.linkedin.com> equals www.linkedin.com (Linkedin)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp, uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001438000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3072152762.000002DDEBB3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3104966541.000026007F700000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com! equals www.youtube.com (Youtube)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.youtube.com4F equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.2974243248.000000EB8187C000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2974575917.000000EB81A3C000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: www.youtube.com:443: equals www.youtube.com (Youtube)
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001438000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: www.youtube.comU equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3024860188.000002DDE85C8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3024860188.000002DDE8577000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3026750496.000002DDE8636000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000003.2756544128.000002DDF1476000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2678416446.000002DDF1476000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2555599724.000002DDF1A77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x.S........[tlsflags0x00000000]www.facebook.com:443^partitionKey=%28https%2Cfacebook.com%29 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3072152762.000002DDEBB3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2715644142.000002DDF05FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3085387408.000002DDF05FD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x.S........[tlsflags0x00000000]www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000003.2692866327.000002DDF1B9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3093798179.000002DDF1B9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xO^partitionKey=%28https%2Cfacebook.com%29,:https://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3065941874.000002DDEB810000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xO^partitionKey=%28https%2Cyoutube.com%29,:https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3040483184.000002DDE9841000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2721008832.000002DDE9841000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3079256123.000002DDEF51B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xhttps://www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3082022232.000002DDEF8BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3072152762.000002DDEBB3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3040483184.000002DDE9841000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xhttps://www.facebook.com/video equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3036141911.000002DDE9003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3034560480.000002DDE8FD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xhttps://www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3028019163.000002DDE8703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3072152762.000002DDEBB3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xhttps://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3065941874.000002DDEB810000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3070139081.000002DDEBA74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xtlsflags0x00000000:www.facebook.com:443^partitionKey=%28https%2Cfacebook.com%29 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3072152762.000002DDEBB3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3091457545.000002DDF1797000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2644297894.000002DDF17B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: xtlsflags0x00000000:www.youtube.com:443^partitionKey=%28https%2Cyoutube.com%29 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3072152762.000002DDEBB3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3072152762.000002DDEBB7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2639381332.000002DDF1AFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ~predictor-origin,:https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000028.00000002.3072152762.000002DDEBB3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2639381332.000002DDF1AFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: ~predictor-origin,:https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000028.00000002.3016135834.000002DDE6557000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2550009805.00000000062E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.3020835870.00000000062DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2550009805.00000000062E3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/13
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2550009805.00000000062E3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.3020835870.00000000062DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/B
Source: MPGPH131.exe, 00000007.00000002.3211469180.00000000060BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3182954510.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2969389417.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/cost/fu.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.3019312482.0000000006223000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/cost/fu.exe/
Source: MPGPH131.exe, 00000007.00000002.3182954510.00000000013D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/cost/fu.exeagerts
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.3020835870.00000000062FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/cost/ladR
Source: RageMP131.exe, 0000000D.00000002.2969389417.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/cost/ladas.exe
Source: MPGPH131.exe, 00000007.00000002.3212107647.00000000062B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/cost/ladas.exeP1
Source: MPGPH131.exe, 00000007.00000002.3182954510.00000000013D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/cost/ladas.exeS
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.00000000012DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/cost/ladas.exeSo
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.3020835870.00000000062F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/cost/ladas.exeidiqKHFva9A6SyV
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2550009805.00000000062F3000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.3020835870.00000000062FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2550009805.00000000062FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.000000000135D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3315495326.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3212107647.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3182954510.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2399410528.0000000001715000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2969389417.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/cost/niks.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.3020835870.00000000062FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2550009805.00000000062FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/cost/niks.exe;
Source: MPGPH131.exe, 00000007.00000002.3182954510.00000000013D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/cost/niks.exe?
Source: RageMP131.exe, 0000000D.00000002.2969389417.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/cost/niks.exeLU
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.000000000132E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.000000000135D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2487481850.00000000062CA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3182954510.000000000142F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3182954510.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2969389417.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/mine/amert.exe
Source: MPGPH131.exe, 00000007.00000003.2487481850.00000000062CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/mine/amert.exeespace
Source: MPGPH131.exe, 00000007.00000002.3182954510.000000000142F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/mine/amert.exew
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2550009805.00000000062FA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.000000000135D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3211469180.00000000060BF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3212107647.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3182954510.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2399410528.0000000001715000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2969389417.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/mine/plaza.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2550009805.00000000062FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/mine/plaza.exe$
Source: MPGPH131.exe, 00000007.00000002.3212107647.00000000062B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/mine/plaza.exe?
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/mine/plaza.exeB
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2550009805.00000000062FA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/mine/plaza.exeD
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2550009805.00000000062F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/mine/plaza.exeData
Source: MPGPH131.exe, 00000007.00000002.3212107647.00000000062B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/mine/plaza.exeHx
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.000000000135D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/mine/plaza.exeR
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.000000000135D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/mine/plaza.exeZ
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2550009805.00000000062F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/mine/plaza.exeidiqKHFva9A6SyV%ou
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2550009805.00000000062F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/mine/plaza.exelF~n
Source: MPGPH131.exe, 00000007.00000002.3182954510.00000000013D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.46/mine/plaza.exenBuil
Source: firefox.exe, 00000028.00000002.3024860188.000002DDE8558000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: firefox.exe, 00000028.00000002.3024860188.000002DDE8558000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 00000028.00000002.3010202894.000002DDE593B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2639259870.000002DDE591B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2641651911.000002DDE593B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%s
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%sget
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5ABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: firefox.exe, 00000028.00000002.3024860188.000002DDE8558000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: svchost.exe, 00000011.00000002.3320387841.0000012618A00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: firefox.exe, 00000028.00000002.3024860188.000002DDE8558000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: firefox.exe, 00000028.00000002.3024860188.000002DDE8558000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: firefox.exe, 00000028.00000002.3024860188.000002DDE8558000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: firefox.exe, 00000028.00000002.3024860188.000002DDE8558000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 00000028.00000002.3087971918.000002DDF14A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3053307784.000002DDEA6A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 00000028.00000002.3070139081.000002DDEBA6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/
Source: firefox.exe, 00000028.00000002.3034560480.000002DDE8FD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.htmlACTIVITY_SUBTYPE_REQUEST_BODY_SENTNetworkError
Source: firefox.exe, 00000028.00000002.3082022232.000002DDEF8B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2470467344.000002DDE98EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000028.00000003.2756544128.000002DDF1492000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3040483184.000002DDE98C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000028.00000003.2470467344.000002DDE98EE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 00000028.00000002.3064080427.000002DDEB56B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3064080427.000002DDEB54F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3047962765.000002DDEA303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
Source: firefox.exe, 00000028.00000002.3022453353.000002DDE7180000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListenerFailed
Source: firefox.exe, 00000028.00000002.3064080427.000002DDEB56B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3064080427.000002DDEB54F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3047962765.000002DDEA303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
Source: firefox.exe, 00000028.00000002.3022453353.000002DDE7180000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListenerThe
Source: firefox.exe, 00000028.00000002.2982819503.000002DDD7703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/strings
Source: svchost.exe, 00000011.00000003.2295242492.0000012618940000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: firefox.exe, 00000028.00000002.3102512483.000002E00003F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2721008832.000002DDE9841000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3061259054.000002DDEB492000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3079256123.000002DDEF543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3091053151.000002DDF176E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2581469174.000002DDE5980000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2641446670.000002DDF1AD3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2554462507.000002DDF1BEE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2756544128.000002DDF14A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3021515483.000002DDE6B9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3061259054.000002DDEB471000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2713376488.000002DDF14A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3092826354.000002DDF1AD3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3072152762.000002DDEBB7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3029169896.000002DDE89EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3018770122.000002DDE6985000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2581469174.000002DDE596F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3054636830.000002DDEA703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3026750496.000002DDE86B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2699260634.000002DDF1778000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3056957894.000002DDEA9C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: firefox.exe, 00000028.00000002.3024860188.000002DDE8558000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: firefox.exe, 00000028.00000002.3024860188.000002DDE8558000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 00000028.00000002.3010202894.000002DDE593B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2639259870.000002DDE591B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2641651911.000002DDE593B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%shttp://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5ABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 00000028.00000002.3010202894.000002DDE593B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2639259870.000002DDE591B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2641651911.000002DDE593B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5ABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: firefox.exe, 00000028.00000002.3010202894.000002DDE593B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2639259870.000002DDE591B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2641651911.000002DDE593B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%sisDownloadsImprovementsAlreadyMigratedhttps://e.mail.ru/cgi-bin
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5ABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.000000000135D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.cI
Source: firefox.exe, 00000028.00000002.3079256123.000002DDEF543000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updatex
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A27000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2553685868.000002DDF32E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3029169896.000002DDE8960000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3047962765.000002DDEA303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A09000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3061259054.000002DDEB44F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3082022232.000002DDEF80E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3100096936.000002DDF32B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3034560480.000002DDE8FD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000028.00000002.3029169896.000002DDE8903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul8
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulNo
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4ACB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://browser/content/browser-data-s
Source: firefox.exe, 00000028.00000002.3072152762.000002DDEBB1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulp
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4ACB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource:///modules/BrowserUsageTelemet
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4ACB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource:///modules/policies/WebsiteFil
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2045508060.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2970949355.0000000000071000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2104376356.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3307238594.00000000005C1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3180443430.00000000005C1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2106055470.0000000005010000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2201009619.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2395117452.0000000000F81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000D.00000002.2978648280.0000000000F81000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: firefox.exe, 00000028.00000002.3024860188.000002DDE8558000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: firefox.exe, 00000028.00000002.3024860188.000002DDE8558000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 00000028.00000002.3022781856.000002DDE8270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000028.00000003.2422986790.000002DDE8300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2423392241.000002DDE671E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2424049959.000002DDE6757000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2423770801.000002DDE673A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/https://www.google.com/search_ignoredCloseButtonClicks
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2157613094.0000000006148000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2154816308.0000000006212000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2164315198.0000000006222000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2412565449.0000000005F4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2257914849.000000000601C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2209351058.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2205798771.00000000060F5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2223168260.00000000060B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 00000028.00000002.3056957894.000002DDEA9AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.c
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.ca
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.cakey_togglePictureInPicturePictureInPicture:UrlbarToggle#picture-in-pictu
Source: firefox.exe, 00000028.00000002.3100096936.000002DDF32E0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2553685868.000002DDF32E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com
Source: firefox.exe, 00000028.00000002.3029169896.000002DDE8903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2692866327.000002DDF1B9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3093798179.000002DDF1B9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com#_https://accounts.google.com
Source: firefox.exe, 00000028.00000003.2756544128.000002DDF1433000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.00000000014B3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/F
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/o.H
Source: firefox.exe, 00000028.00000003.2639381332.000002DDF1AFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/predictor::seen1
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/startEventLoopLagTracking
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3308195658.0000000000D70000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000026.00000002.2403287458.00000251FB9C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.comC:
Source: firefox.exe, 00000026.00000002.2403287458.00000251FB9C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.comE3
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001438000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3072152762.000002DDEBB3F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.comeo
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.compending-crash-reports-send
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5AD6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.orgpictureinpicture.toggle_enabledError:
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4AAA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3026750496.000002DDE8636000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp--panel-banner-item-info-icon-bgcoloraddons-search-detection
Source: firefox.exe, 00000028.00000002.3104845019.000021162CE04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: firefox.exe, 00000028.00000002.3104845019.000021162CE04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://baidu.com
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: firefox.exe, 00000028.00000002.2993289085.000002DDE3EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: firefox.exe, 00000028.00000002.2993289085.000002DDE3EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: firefox.exe, 00000028.00000002.3037738981.000002DDE9313000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3016135834.000002DDE652F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4ACB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: firefox.exe, 00000028.00000002.3089136603.000002DDF1571000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2710767802.000002DDF1574000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2672155398.000002DDF1574000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 00000028.00000002.3089136603.000002DDF1571000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2710767802.000002DDF1574000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2672155398.000002DDF1574000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 00000028.00000002.3089136603.000002DDF1571000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2710767802.000002DDF1574000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2672155398.000002DDF1574000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 00000028.00000002.3089136603.000002DDF1571000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2710767802.000002DDF1574000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2672155398.000002DDF1574000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2157613094.0000000006148000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2154816308.0000000006212000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2164315198.0000000006222000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2412565449.0000000005F4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2257914849.000000000601C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2209351058.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2205798771.00000000060F5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2223168260.00000000060B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2157613094.0000000006148000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2154816308.0000000006212000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2164315198.0000000006222000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2412565449.0000000005F4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2257914849.000000000601C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2556053988.0000000005F3F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2209351058.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2205798771.00000000060F5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2223168260.00000000060B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2157613094.0000000006148000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2154816308.0000000006212000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2164315198.0000000006222000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2412565449.0000000005F4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2257914849.000000000601C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2556053988.0000000005F3F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2209351058.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2205798771.00000000060F5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2223168260.00000000060B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2423392241.000002DDE671E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2424049959.000002DDE6757000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2423770801.000002DDE673A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000028.00000002.3082022232.000002DDEF8A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2971556236.000000EB8093B000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://content.cdn.mozilla.net
Source: firefox.exe, 00000028.00000002.2993289085.000002DDE3EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000028.00000002.2993289085.000002DDE3EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 00000028.00000002.2982819503.000002DDD770C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2982819503.000002DDD7730000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 00000028.00000003.2573396913.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2629482617.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2569487642.000002DDF16B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/993268
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 00000028.00000002.3064080427.000002DDEB56B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3064080427.000002DDEB54F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTab
Source: firefox.exe, 00000028.00000002.3047962765.000002DDEA303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc
Source: firefox.exe, 00000028.00000002.3022453353.000002DDE7180000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabPlease
Source: firefox.exe, 00000028.00000002.3064080427.000002DDEB54F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3064080427.000002DDEB586000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3064080427.000002DDEB590000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
Source: firefox.exe, 00000028.00000002.3022453353.000002DDE7180000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureOffscreenCanvas.toBlob()
Source: firefox.exe, 00000028.00000002.3022453353.000002DDE7180000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureRequest
Source: firefox.exe, 00000028.00000002.3064080427.000002DDEB56B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3064080427.000002DDEB54F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture
Source: firefox.exe, 00000028.00000002.3064080427.000002DDEB586000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureElementReleaseCaptureWarning
Source: firefox.exe, 00000028.00000002.3022453353.000002DDE7180000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureInstallTrigger.install()
Source: firefox.exe, 00000028.00000002.3064080427.000002DDEB56B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3064080427.000002DDEB54F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryption
Source: firefox.exe, 00000028.00000002.3047962765.000002DDEA303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#EncryptionPreventDefaultFromP
Source: firefox.exe, 00000028.00000002.3022453353.000002DDE7180000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryptiondocument.requestSto
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinationsNOT
Source: firefox.exe, 00000028.00000002.3064080427.000002DDEB56B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3064080427.000002DDEB54F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing
Source: firefox.exe, 00000028.00000002.3047962765.000002DDEA303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingDocumentWriteIgnored
Source: firefox.exe, 00000028.00000002.3022453353.000002DDE7180000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingTrying
Source: firefox.exe, 00000028.00000003.2573396913.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2629482617.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 00000028.00000003.2573396913.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2629482617.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 00000028.00000003.2573396913.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2629482617.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2569487642.000002DDF16B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 00000028.00000002.3104845019.000021162CE04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 00000028.00000002.3022781856.000002DDE8270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000028.00000003.2422986790.000002DDE8300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3105084303.000027BFE1C04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2423392241.000002DDE671E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2424049959.000002DDE6757000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3024860188.000002DDE8567000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3104188133.000018095B804000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2423770801.000002DDE673A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2157613094.0000000006148000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2154816308.0000000006212000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2164315198.0000000006222000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2412565449.0000000005F4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2257914849.000000000601C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2556053988.0000000005F3F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2209351058.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2205798771.00000000060F5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2223168260.00000000060B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2157613094.0000000006148000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2154816308.0000000006212000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2164315198.0000000006222000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2412565449.0000000005F4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2257914849.000000000601C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2556053988.0000000005F3F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2209351058.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2205798771.00000000060F5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2223168260.00000000060B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2157613094.0000000006148000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2154816308.0000000006212000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2164315198.0000000006222000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2412565449.0000000005F4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2257914849.000000000601C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2556053988.0000000005F3F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2209351058.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2205798771.00000000060F5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2223168260.00000000060B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5ABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3012885176.000002DDE5C7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3010202894.000002DDE593B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2639259870.000002DDE591B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2641651911.000002DDE593B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5ABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5ABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 00000028.00000002.3104845019.000021162CE04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ebay.comP
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000028.00000002.3064080427.000002DDEB56B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3064080427.000002DDEB54F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3064080427.000002DDEB590000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
Source: firefox.exe, 00000028.00000002.3022453353.000002DDE7180000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/initMouseEvent()
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2740566266.000002DDF1AA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2641724707.000002DDF1AA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3093377763.000002DDF1B3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2555025553.000002DDF1AA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 00000028.00000002.3022307158.000002DDE7150000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000028.00000002.3064080427.000002DDEB54F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1Parent
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5AD6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: svchost.exe, 00000011.00000003.2295242492.00000126189B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000011.00000003.2295242492.0000012618940000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2740566266.000002DDF1AA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2641724707.000002DDF1AA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3093377763.000002DDF1B3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2555025553.000002DDF1AA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000028.00000003.2740566266.000002DDF1AA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2641724707.000002DDF1AA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2555025553.000002DDF1AA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B3C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 00000028.00000003.2740566266.000002DDF1AA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2641724707.000002DDF1AA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2555025553.000002DDF1AA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS
Source: firefox.exe, 00000028.00000003.2740566266.000002DDF1AA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2641724707.000002DDF1AA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2555025553.000002DDF1AA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS7
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 00000028.00000002.3012379211.000002DDE5B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/
Source: firefox.exe, 00000028.00000003.2573396913.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2629482617.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2569487642.000002DDF16B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 00000028.00000003.2629482617.000002DDF16AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2682334836.000002DDF16AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 00000028.00000003.2629482617.000002DDF16AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2682334836.000002DDF16AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 00000028.00000003.2573396913.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2629482617.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: firefox.exe, 00000028.00000003.2573396913.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2629482617.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 00000028.00000002.3022781856.000002DDE8270000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000028.00000003.2422986790.000002DDE8300000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2423392241.000002DDE671E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2424049959.000002DDE6757000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2423770801.000002DDE673A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshotsexperiment-apis/aboutConfigPrefs.jsonexperiment-apis/
Source: firefox.exe, 00000028.00000002.3089136603.000002DDF1571000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2710767802.000002DDF1574000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2672155398.000002DDF1574000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 00000028.00000002.3089136603.000002DDF1571000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2710767802.000002DDF1574000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2672155398.000002DDF1574000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3029878748.000002DDE8B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650devtools-serviceworker-debugger-support
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A27000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3092826354.000002DDF1ABA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2740566266.000002DDF1ABA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2641446670.000002DDF1ABA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 00000028.00000002.3082022232.000002DDEF8BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3072152762.000002DDEBB3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3104845019.000021162CE04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com
Source: firefox.exe, 00000028.00000002.3072152762.000002DDEBB3F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3054636830.000002DDEA703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: firefox.exe, 00000028.00000002.3089136603.000002DDF1571000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2710767802.000002DDF1574000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2672155398.000002DDF1574000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 00000028.00000002.2982819503.000002DDD770C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881Somehow
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 00000028.00000002.3093377763.000002DDF1B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://identity.mozilla.com/apps/oldsyncS
Source: firefox.exe, 00000028.00000002.3093377763.000002DDF1B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://identity.mozilla.com/cmd/H
Source: firefox.exe, 00000028.00000002.3093377763.000002DDF1B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://identity.mozilla.com/cmd/HCX
Source: firefox.exe, 00000028.00000002.3093377763.000002DDF1B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://identity.mozilla.com/ids/ecosystem_telemetryU
Source: firefox.exe, 00000028.00000002.3093377763.000002DDF1B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://identity.mozilla.com/ids/ecosystem_telemetryUFj
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000028.00000002.3013967826.000002DDE5FB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 00000028.00000002.3085387408.000002DDF0533000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2680500338.000002DDF0537000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2715644142.000002DDF0537000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 00000028.00000003.2740566266.000002DDF1AA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2641724707.000002DDF1AA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2555025553.000002DDF1AA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submits
Source: firefox.exe, 00000028.00000003.2573396913.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2629482617.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://install.mozilla.org
Source: RageMP131.exe, 00000008.00000002.2399410528.000000000169E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2399410528.00000000016FD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2969389417.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2969389417.0000000000A0B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2969389417.0000000000A6B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.000000000133A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3315495326.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3182954510.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2399410528.00000000016FD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2969389417.0000000000A6B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: MPGPH131.exe, 00000007.00000002.3182954510.0000000001350000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/d9s
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.00000000012DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/fons
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2045508060.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2970949355.0000000000071000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2104376356.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3307238594.00000000005C1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3180443430.00000000005C1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2106055470.0000000005010000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2201009619.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2395117452.0000000000F81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000D.00000002.2978648280.0000000000F81000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: RageMP131.exe, 0000000D.00000002.2969389417.0000000000A0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/l
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.000000000133A000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.0000000001320000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3315495326.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3182954510.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3182954510.0000000001350000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2399410528.00000000016FD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2399410528.00000000016EC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2969389417.0000000000A0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.222
Source: RageMP131.exe, 00000008.00000002.2399410528.00000000016EC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.222R
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2969389417.0000000000A62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.222S
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.0000000001320000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.222k
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.222m1j
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/x
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2969389417.0000000000A62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.227.222
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.000000000132E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.227.2223
Source: MPGPH131.exe, 00000007.00000002.3182954510.00000000013AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.227.222;
Source: RageMP131.exe, 00000008.00000002.2399410528.00000000016FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.227.222p
Source: firefox.exe, 00000028.00000003.2573396913.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2629482617.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 00000028.00000003.2573396913.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2629482617.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 00000028.00000003.2573396913.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2629482617.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 00000028.00000002.3037738981.000002DDE9313000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3023056958.000002DDE83F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 00000028.00000002.3013967826.000002DDE5F78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 00000028.00000002.3023056958.000002DDE83CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 00000028.00000002.3023056958.000002DDE83CB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213ebx
Source: firefox.exe, 00000028.00000002.3056957894.000002DDEA9AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3103412189.00000EEDCF604000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.comresource://normandy/lib/ClientEnvironment.sys.mjsresource://gre/modules/Privat
Source: firefox.exe, 00000028.00000002.3056957894.000002DDEA9AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com94/e.prototype._filterRelative/
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3002620344.000002DDE49BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3012379211.000002DDE5B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%sresource://pdf.js/PdfJsDefaultPreferences.sys.mjsh
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5ABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3012885176.000002DDE5C7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3010202894.000002DDE593B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2639259870.000002DDE591B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2641651911.000002DDE593B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%sgecko.handlerService.defaultHandlersVersionhttps://mail.yahoo.co.
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5ABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5ABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3012885176.000002DDE5C7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3010202894.000002DDE593B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2639259870.000002DDE591B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2641651911.000002DDE593B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5ABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2982819503.000002DDD77DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 00000028.00000002.2982819503.000002DDD7703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.commigrateXULAttributeToStylehttps://screenshots.firefox.comhttps://truecolo
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 00000028.00000002.3102724208.000007C490404000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mozilla.org/
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mzl.la/3NS9KJd
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ok.ru/
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5ABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3012885176.000002DDE5C7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2641651911.000002DDE593B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sresource://gre/modules/FileUtils.sys.mjsget
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5ABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com/
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.comMOZ_BROWSER_TOOLBOX_BINARYbrowserToolboxLauncherConfigdevtools.debugger.
Source: firefox.exe, 00000028.00000003.2641446670.000002DDF1ABA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 00000028.00000002.3065941874.000002DDEB83A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2&
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 00000028.00000003.2692866327.000002DDF1B9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3093798179.000002DDF1B9D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 00000028.00000002.3065941874.000002DDEB83A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=AIzaSyC7jsptDS
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSy
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 00000028.00000002.2982819503.000002DDD7703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 00000028.00000003.2423770801.000002DDE673A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5AD6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/IDB_MIGRATE_RESULT_HISTOGRAM
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 00000028.00000002.3072152762.000002DDEBB1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addonbrowser.contentblocking.cfr-milestone.milesto
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000028.00000003.2644297894.000002DDF1793000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3091457545.000002DDF1793000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3029878748.000002DDE8B74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000028.00000003.2644297894.000002DDF1793000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3091457545.000002DDF1793000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=navclient-auto-ffox&appver=118.0&pver=2.2UPDATE
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2740566266.000002DDF1AA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2641724707.000002DDF1AA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3093377763.000002DDF1B3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2555025553.000002DDF1AA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000028.00000003.2690557482.000002DDF1BCA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2737503090.000002DDF1BCA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3093798179.000002DDF1BCA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2740566266.000002DDF1AA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2641724707.000002DDF1AA4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2555025553.000002DDF1AA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 00000028.00000002.2982819503.000002DDD7703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 00000028.00000002.3030236130.000002DDE8C20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3055411357.000002DDEA8AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 00000028.00000003.2553685868.000002DDF3268000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3100096936.000002DDF3244000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: firefox.exe, 00000028.00000002.3065941874.000002DDEB82B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-helpUnexpected
Source: firefox.exe, 00000028.00000002.3064080427.000002DDEB54F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windows
Source: firefox.exe, 00000028.00000002.3047962765.000002DDEA303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsMediaPlatformDecoderNotFound
Source: firefox.exe, 00000028.00000002.3047962765.000002DDEA303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsMediaWMFNeeded
Source: firefox.exe, 00000028.00000002.3022453353.000002DDE7180000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsThe
Source: firefox.exe, 00000028.00000002.3022453353.000002DDE7180000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsUse
Source: firefox.exe, 00000028.00000003.2736165131.000002DDE8D9D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3032209804.000002DDE8DAA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 00000028.00000002.3034560480.000002DDE8FD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settingspromiseLangPacksUpdated
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causeschrome://browser/content/mi
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translation
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translationSetting
Source: firefox.exe, 00000028.00000002.3065941874.000002DDEB82B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: RageMP131.exe, 0000000D.00000002.2969389417.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.a5
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.g
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3182954510.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2399410528.000000000169E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2969389417.0000000000A0B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 00000008.00000002.2399410528.000000000169E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTVD
Source: RageMP131.exe, 0000000D.00000002.2969389417.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro
Source: RageMP131.exe, 0000000D.00000002.2969389417.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.000000000135D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot%
Source: RageMP131.exe, 0000000D.00000002.2969389417.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot)
Source: RageMP131.exe, 0000000D.00000002.2969389417.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot;U
Source: RageMP131.exe, 0000000D.00000002.2969389417.0000000000A70000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botGU
Source: MPGPH131.exe, 00000007.00000002.3182954510.00000000013D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bote
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.000000000135D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botn
Source: RageMP131.exe, 00000008.00000002.2399410528.0000000001715000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bott
Source: RageMP131.exe, 00000008.00000002.2399410528.0000000001715000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botuG
Source: MPGPH131.exe, 00000007.00000002.3182954510.00000000013D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botxe
Source: firefox.exe, 00000028.00000003.2573396913.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2629482617.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 00000028.00000002.3022453353.000002DDE7180000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 00000028.00000002.3022453353.000002DDE7180000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 00000028.00000002.3022453353.000002DDE7180000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 00000028.00000002.3022453353.000002DDE7180000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 00000028.00000002.2982819503.000002DDD7703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 00000028.00000002.3104845019.000021162CE04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A09000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A27000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3092826354.000002DDF1ABA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2740566266.000002DDF1ABA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2641446670.000002DDF1ABA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 00000028.00000002.3093798179.000002DDF1B7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 00000028.00000003.2779333489.000002DDE432F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2781597317.000002DDE4371000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://whttps://www.google.
Source: firefox.exe, 00000028.00000003.2573396913.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2629482617.000002DDF16B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2569487642.000002DDF16B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 00000028.00000002.2993289085.000002DDE3EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/resource://gre/modules/PrivateBrowsingUtils.sys.m
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 00000028.00000002.2993289085.000002DDE3EAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: firefox.exe, 00000028.00000003.2763506074.000002DDE4500000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.
Source: firefox.exe, 00000028.00000003.2763506074.000002DDE4500000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2157613094.0000000006148000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2154816308.0000000006212000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2164315198.0000000006222000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2412565449.0000000005F4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2257914849.000000000601C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2209351058.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2205798771.00000000060F5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2223168260.00000000060B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: firefox.exe, 00000028.00000003.2553685868.000002DDF32B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/
Source: firefox.exe, 00000028.00000003.2644297894.000002DDF17BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 00000028.00000003.2644297894.000002DDF17B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2157613094.0000000006148000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2154816308.0000000006212000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2164315198.0000000006222000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2412565449.0000000005F4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2257914849.000000000601C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2556053988.0000000005F3F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2209351058.00000000060B8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2205798771.00000000060F5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2223168260.00000000060B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/resource://gre/modules/GMPInstallManager.sys.mjsresource://g
Source: firefox.exe, 00000028.00000003.2644297894.000002DDF17BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp, uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001438000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.linkedin.com/login
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.linkedin.com/loginW
Source: firefox.exe, 00000028.00000002.3002620344.000002DDE49B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3090855517.000002DDF173E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2975695786.000000EB8377B000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: firefox.exe, 00000028.00000002.3065941874.000002DDEB82B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: firefox.exe, 00000028.00000002.3065941874.000002DDEB82B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.000000000135D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3182954510.00000000013D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: MPGPH131.exe, 00000007.00000002.3182954510.00000000013D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/8
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2166684188.00000000061F9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.3019312482.00000000061F9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2272761454.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2266137142.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2259571981.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2262413005.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2266788197.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2444449056.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2265234340.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2261903444.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2270931883.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2262859371.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2254904274.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2264973777.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2265672884.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2211664716.0000000006109000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2209351058.0000000006109000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2229804731.0000000006109000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2253611692.0000000006109000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2225287329.0000000006109000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.000000000135D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/T
Source: firefox.exe, 00000028.00000002.3065941874.000002DDEB82B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/resource:///modules/Sanitizer.sys.mjsresource:///modules/Browser
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2166684188.00000000061F9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.3019312482.00000000061F9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2272761454.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2266137142.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2259571981.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2262413005.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2266788197.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2444449056.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2265234340.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2261903444.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2270931883.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2262859371.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2254904274.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2264973777.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2265672884.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2211664716.0000000006109000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2209351058.0000000006109000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2229804731.0000000006109000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2253611692.0000000006109000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2225287329.0000000006109000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.000000000135D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3182954510.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2993289085.000002DDE3E54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 00000028.00000002.3009171857.000002DDE57D0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2166684188.00000000061F9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.3019312482.00000000061F9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2272761454.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2266137142.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2259571981.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2262413005.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2266788197.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2444449056.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2265234340.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2261903444.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2270931883.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2262859371.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3326844606.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2254904274.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2264973777.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2265672884.0000000005FF2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2211664716.0000000006109000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2209351058.0000000006109000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2229804731.0000000006109000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2253611692.0000000006109000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2225287329.0000000006109000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: MPGPH131.exe, 00000007.00000002.3182954510.00000000013D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ta
Source: firefox.exe, 00000028.00000002.2982819503.000002DDD776A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.orgaddons.mozilla.org
Source: firefox.exe, 00000028.00000002.2975695786.000000EB8377B000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.orgo
Source: firefox.exe, 00000028.00000002.3029878748.000002DDE8B15000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: firefox.exe, 00000028.00000002.3093798179.000002DDF1B7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4AB9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3026750496.000002DDE8607000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/startup
Source: firefox.exe, 00000028.00000002.3011549482.000002DDE5A09000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3011549482.000002DDE5A85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 00000028.00000002.3103412189.00000EEDCF604000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.tsn.ca
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.widevine.com/
Source: firefox.exe, 00000028.00000002.3004684790.000002DDE4A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.widevine.com/get
Source: firefox.exe, 00000028.00000002.3034560480.000002DDE8FD0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: firefox.exe, 00000027.00000002.2409258603.0000022608EF0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com--attempting-deelevation
Source: firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001438000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/8
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001438000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/E
Source: firefox.exe, 00000028.00000002.3104009587.00001435E6000000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3104966541.000026007F700000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/Z
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/g
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/l
Source: firefox.exe, 00000028.00000003.2639381332.000002DDF1AFD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/predictor::seen1
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp, uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.00000000014C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com9
Source: firefox.exe, 00000021.00000002.2404039385.00000238B1FE0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2981895810.000002DDD74F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.comC:
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000002.3309467580.0000000001464000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.comE
Source: firefox.exe, 00000028.00000002.2981672606.000002DDD74B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.comH
Source: firefox.exe, 00000028.00000002.2982819503.000002DDD770C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.comMOZ_CRASHREPORTER_RESTART_ARG_2=
Source: firefox.exe, 00000028.00000003.2408279262.000002DDD9AA1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3001552207.000002DDE470F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2409610072.000002DDD9AA1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2406616011.000002DDD9AA1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2986469421.000002DDD9AA1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3001552207.000002DDE4853000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2986469421.000002DDD9A30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.comMOZ_CRASHREPORTER_STRINGS_OVERRIDE=C:
Source: firefox.exe, 00000021.00000002.2404039385.00000238B1FE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.comc
Source: firefox.exe, 00000028.00000002.3093798179.000002DDF1B7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3004684790.000002DDE4A7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3049175480.000002DDEA4BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 00000028.00000002.3064080427.000002DDEB56B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3064080427.000002DDEB54F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3047962765.000002DDEA303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning
Source: firefox.exe, 00000028.00000002.3022453353.000002DDE7180000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warningThe
Source: firefox.exe, 00000028.00000002.3104845019.000021162CE04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://yandex.com
Source: firefox.exe, 00000028.00000002.2982819503.000002DDD77E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 00000028.00000003.2721008832.000002DDE9813000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3040483184.000002DDE9813000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.3054636830.000002DDEA703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2225887227.00000000065B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_55b4a0f7-5
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2225887227.00000000065B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_43032c03-a
Source: MPGPH131.exe, 00000007.00000003.2426655207.0000000006638000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_c534ab44-a
Source: MPGPH131.exe, 00000007.00000003.2426655207.0000000006638000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_b21fa43c-b
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000000.2265645503.0000000000C32000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_33edc4dc-4
Source: uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000000.2265645503.0000000000C32000.00000002.00000001.01000000.00000008.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_a0f83278-b
PE file contains section with special chars
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Static PE information: section name: .idata
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: M2ZJsqaj4w0ejNj1ZjmR.exe.0.dr Static PE information: section name:
Source: M2ZJsqaj4w0ejNj1ZjmR.exe.0.dr Static PE information: section name: .idata
Source: M2ZJsqaj4w0ejNj1ZjmR.exe.0.dr Static PE information: section name:
Source: EdgeMS131.exe.0.dr Static PE information: section name:
Source: EdgeMS131.exe.0.dr Static PE information: section name: .idata
Source: EdgeMS131.exe.0.dr Static PE information: section name:
Source: ladas[1].exe.0.dr Static PE information: section name:
Source: ladas[1].exe.0.dr Static PE information: section name: .idata
Source: ladas[1].exe.0.dr Static PE information: section name:
Source: niks[1].exe.0.dr Static PE information: section name:
Source: niks[1].exe.0.dr Static PE information: section name: .idata
Source: niks[1].exe.0.dr Static PE information: section name:
Source: odq7pDl9CbKN8ytjPilL.exe.0.dr Static PE information: section name:
Source: odq7pDl9CbKN8ytjPilL.exe.0.dr Static PE information: section name: .idata
Source: odq7pDl9CbKN8ytjPilL.exe.0.dr Static PE information: section name:
Source: amert[1].exe.0.dr Static PE information: section name:
Source: amert[1].exe.0.dr Static PE information: section name: .idata
Source: amert[1].exe.0.dr Static PE information: section name:
Source: MMTlnkECJXeMpKaFuTx0.exe.0.dr Static PE information: section name:
Source: MMTlnkECJXeMpKaFuTx0.exe.0.dr Static PE information: section name: .idata
Source: MMTlnkECJXeMpKaFuTx0.exe.0.dr Static PE information: section name:
Source: AdobeUpdaterV131.exe.0.dr Static PE information: section name:
Source: AdobeUpdaterV131.exe.0.dr Static PE information: section name: .idata
Source: AdobeUpdaterV131.exe.0.dr Static PE information: section name:
Source: MSIUpdaterV131.exe.0.dr Static PE information: section name:
Source: MSIUpdaterV131.exe.0.dr Static PE information: section name: .idata
Source: MSIUpdaterV131.exe.0.dr Static PE information: section name:
Source: ladas[1].exe.7.dr Static PE information: section name:
Source: ladas[1].exe.7.dr Static PE information: section name: .idata
Source: ladas[1].exe.7.dr Static PE information: section name:
Source: KMO45Hpdl31XslGofw5s.exe.7.dr Static PE information: section name:
Source: KMO45Hpdl31XslGofw5s.exe.7.dr Static PE information: section name: .idata
Source: KMO45Hpdl31XslGofw5s.exe.7.dr Static PE information: section name:
Source: amert[1].exe.7.dr Static PE information: section name:
Source: amert[1].exe.7.dr Static PE information: section name: .idata
Source: amert[1].exe.7.dr Static PE information: section name:
Source: JCaP5kVFkKWwN4QTjz7m.exe.7.dr Static PE information: section name:
Source: JCaP5kVFkKWwN4QTjz7m.exe.7.dr Static PE information: section name: .idata
Source: JCaP5kVFkKWwN4QTjz7m.exe.7.dr Static PE information: section name:
Source: niks[1].exe.7.dr Static PE information: section name:
Source: niks[1].exe.7.dr Static PE information: section name: .idata
Source: niks[1].exe.7.dr Static PE information: section name:
Source: q96TsIrSnwwVcxc6LZrs.exe.7.dr Static PE information: section name:
Source: q96TsIrSnwwVcxc6LZrs.exe.7.dr Static PE information: section name: .idata
Source: q96TsIrSnwwVcxc6LZrs.exe.7.dr Static PE information: section name:
PE file has nameless sections
Source: plaza[1].exe.0.dr Static PE information: section name:
Source: plaza[1].exe.0.dr Static PE information: section name:
Source: plaza[1].exe.0.dr Static PE information: section name:
Source: plaza[1].exe.0.dr Static PE information: section name:
Source: plaza[1].exe.0.dr Static PE information: section name:
Source: plaza[1].exe.0.dr Static PE information: section name:
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: section name:
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: section name:
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: section name:
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: section name:
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: section name:
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: section name:
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: section name:
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: section name:
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: section name:
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: section name:
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: section name:
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: section name:
Source: plaza[1].exe.7.dr Static PE information: section name:
Source: plaza[1].exe.7.dr Static PE information: section name:
Source: plaza[1].exe.7.dr Static PE information: section name:
Source: plaza[1].exe.7.dr Static PE information: section name:
Source: plaza[1].exe.7.dr Static PE information: section name:
Source: plaza[1].exe.7.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005CA450 RtlAllocateHeap,NtQuerySystemInformation,HeapFree,RtlFreeHeap,RtlAllocateHeap,NtQuerySystemInformation,HeapFree, 6_2_005CA450
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005CA770 NtDuplicateObject,CreateThread,TerminateThread, 6_2_005CA770
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000B2010 0_2_000B2010
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0007F050 0_2_0007F050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000A0890 0_2_000A0890
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000A48E0 0_2_000A48E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000C3910 0_2_000C3910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0014A930 0_2_0014A930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000CD180 0_2_000CD180
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000B2250 0_2_000B2250
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0009BA60 0_2_0009BA60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_00095A90 0_2_00095A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000C52B0 0_2_000C52B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000C82E0 0_2_000C82E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000C3350 0_2_000C3350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000B0360 0_2_000B0360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000BDB80 0_2_000BDB80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000813C0 0_2_000813C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000A8C90 0_2_000A8C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000CA540 0_2_000CA540
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_00098570 0_2_00098570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_00080580 0_2_00080580
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000A6590 0_2_000A6590
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000AD5A0 0_2_000AD5A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_001045E0 0_2_001045E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000A7660 0_2_000A7660
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0009DE70 0_2_0009DE70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000AA700 0_2_000AA700
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0015970D 0_2_0015970D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_00094730 0_2_00094730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0009A760 0_2_0009A760
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_00090780 0_2_00090780
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000A0FB0 0_2_000A0FB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_00154008 0_2_00154008
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_00072050 0_2_00072050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000E0850 0_2_000E0850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_00150880 0_2_00150880
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0008A150 0_2_0008A150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_00159A4F 0_2_00159A4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000F1A50 0_2_000F1A50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000722C0 0_2_000722C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000A02C0 0_2_000A02C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0010D2C0 0_2_0010D2C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_00102360 0_2_00102360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0007ABA0 0_2_0007ABA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000FBCC0 0_2_000FBCC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000EF4D0 0_2_000EF4D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000F4D30 0_2_000F4D30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000FD530 0_2_000FD530
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000FDE70 0_2_000FDE70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0007A770 0_2_0007A770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_000F0FD0 0_2_000F0FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F48E0 6_2_005F48E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F0890 6_2_005F0890
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0069A930 6_2_0069A930
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005EBA60 6_2_005EBA60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005E5A90 6_2_005E5A90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00600360 6_2_00600360
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00613350 6_2_00613350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0060DB80 6_2_0060DB80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005CABA0 6_2_005CABA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005DE4C0 6_2_005DE4C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F8C90 6_2_005F8C90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005E8570 6_2_005E8570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006545E0 6_2_006545E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F6590 6_2_005F6590
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005EDE70 6_2_005EDE70
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F7660 6_2_005F7660
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005CA770 6_2_005CA770
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005EA760 6_2_005EA760
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005FA700 6_2_005FA700
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005E4730 6_2_005E4730
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005E0780 6_2_005E0780
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F0FB0 6_2_005F0FB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006A6040 6_2_006A6040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006A4008 6_2_006A4008
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00800000 6_2_00800000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006A0880 6_2_006A0880
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005DA150 6_2_005DA150
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006A9A4F 6_2_006A9A4F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00641A50 6_2_00641A50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005C22C0 6_2_005C22C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005F02C0 6_2_005F02C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0065D2C0 6_2_0065D2C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00652360 6_2_00652360
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006B73C4 6_2_006B73C4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0064BCC0 6_2_0064BCC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006BF4C0 6_2_006BF4C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0063F4D0 6_2_0063F4D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0064D530 6_2_0064D530
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00644D30 6_2_00644D30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0064DE70 6_2_0064DE70
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00651E50 6_2_00651E50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00640FD0 6_2_00640FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006307B0 6_2_006307B0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: String function: 000D9C70 appears 36 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00629C70 appears 32 times
PE file contains executable resources (Code or Archives)
Source: M2ZJsqaj4w0ejNj1ZjmR.exe.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ladas[1].exe.0.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: ladas[1].exe.7.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: KMO45Hpdl31XslGofw5s.exe.7.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.3005868635.00000000050E0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMSBuild.exeR vs SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2972859423.00000000001A7000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameMSBuild.exeR vs SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.3020835870.00000000062FA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameheidisql.exe2 vs SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winmm.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iertutil.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: profapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: urlmon.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: srvcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: netutils.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: propsys.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: edputil.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: appresolver.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: bcp47langs.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: slc.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: userenv.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sppc.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: mlang.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: apphelp.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: acgenral.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: winmm.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: samcli.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: msacm32.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: version.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: userenv.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: dwmapi.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: urlmon.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: mpr.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: sspicli.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: winmmbase.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: winmmbase.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: iertutil.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: srvcli.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: netutils.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: aclayers.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: sfc.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: sfc_os.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: wininet.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: apphelp.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: acgenral.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: winmm.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: samcli.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: msacm32.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: version.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: userenv.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: dwmapi.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: urlmon.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: mpr.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: sspicli.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: winmmbase.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: winmmbase.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: iertutil.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: srvcli.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: netutils.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: aclayers.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: sfc.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: sfc_os.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: wininet.dll
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Section loaded: kernel.appcore.dll
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Static PE information: Section: ZLIB complexity 0.9993563565340909
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Static PE information: Section: zspkhdwt ZLIB complexity 0.9912484645423878
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9993563565340909
Source: RageMP131.exe.0.dr Static PE information: Section: zspkhdwt ZLIB complexity 0.9912484645423878
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9993563565340909
Source: MPGPH131.exe.0.dr Static PE information: Section: zspkhdwt ZLIB complexity 0.9912484645423878
Source: M2ZJsqaj4w0ejNj1ZjmR.exe.0.dr Static PE information: Section: ZLIB complexity 0.9999794407894737
Source: plaza[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.9996907199023861
Source: plaza[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.9970366379310345
Source: plaza[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.9917578125
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: Section: ZLIB complexity 0.9996907199023861
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: Section: ZLIB complexity 0.9970366379310345
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: Section: ZLIB complexity 0.9917578125
Source: EdgeMS131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9974227358815427
Source: EdgeMS131.exe.0.dr Static PE information: Section: jiatpsvw ZLIB complexity 0.9942436037470379
Source: ladas[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.9999794407894737
Source: niks[1].exe.0.dr Static PE information: Section: eigmswwb ZLIB complexity 0.9946349163164215
Source: odq7pDl9CbKN8ytjPilL.exe.0.dr Static PE information: Section: eigmswwb ZLIB complexity 0.9946349163164215
Source: amert[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.9974227358815427
Source: amert[1].exe.0.dr Static PE information: Section: jiatpsvw ZLIB complexity 0.9942436037470379
Source: MMTlnkECJXeMpKaFuTx0.exe.0.dr Static PE information: Section: ZLIB complexity 0.9974227358815427
Source: MMTlnkECJXeMpKaFuTx0.exe.0.dr Static PE information: Section: jiatpsvw ZLIB complexity 0.9942436037470379
Source: AdobeUpdaterV131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9974227358815427
Source: AdobeUpdaterV131.exe.0.dr Static PE information: Section: jiatpsvw ZLIB complexity 0.9942436037470379
Source: MSIUpdaterV131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9974227358815427
Source: MSIUpdaterV131.exe.0.dr Static PE information: Section: jiatpsvw ZLIB complexity 0.9942436037470379
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: Section: ZLIB complexity 0.9996907199023861
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: Section: ZLIB complexity 0.9970366379310345
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: Section: ZLIB complexity 0.9917578125
Source: ladas[1].exe.7.dr Static PE information: Section: ZLIB complexity 0.9999794407894737
Source: KMO45Hpdl31XslGofw5s.exe.7.dr Static PE information: Section: ZLIB complexity 0.9999794407894737
Source: plaza[1].exe.7.dr Static PE information: Section: ZLIB complexity 0.9996907199023861
Source: plaza[1].exe.7.dr Static PE information: Section: ZLIB complexity 0.9970366379310345
Source: plaza[1].exe.7.dr Static PE information: Section: ZLIB complexity 0.9917578125
Source: amert[1].exe.7.dr Static PE information: Section: ZLIB complexity 0.9974227358815427
Source: amert[1].exe.7.dr Static PE information: Section: jiatpsvw ZLIB complexity 0.9942436037470379
Source: JCaP5kVFkKWwN4QTjz7m.exe.7.dr Static PE information: Section: ZLIB complexity 0.9974227358815427
Source: JCaP5kVFkKWwN4QTjz7m.exe.7.dr Static PE information: Section: jiatpsvw ZLIB complexity 0.9942436037470379
Source: niks[1].exe.7.dr Static PE information: Section: eigmswwb ZLIB complexity 0.9946349163164215
Source: q96TsIrSnwwVcxc6LZrs.exe.7.dr Static PE information: Section: eigmswwb ZLIB complexity 0.9946349163164215
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@154/390@0/60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005CABA0 CreateToolhelp32Snapshot, 6_2_005CABA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2200:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2828:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9484:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8500:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2045508060.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2970949355.0000000000071000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2104376356.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3307238594.00000000005C1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3180443430.00000000005C1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2106055470.0000000005010000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2201009619.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2395117452.0000000000F81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000D.00000002.2978648280.0000000000F81000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2172565720.00000000062DB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE ibans (guid VARCHAR PRIMARY KEY, use_count INTEGER NOT NULL DEFAULT 0, use_date INTEGER NOT NULL DEFAULT 0, value_encrypted VARCHAR, nickname VARCHAR)ed INTEGER NOT NULL DEFAULT 0, origin VARCHAR DEFAULT '', use_count INTEGER NOT NULL DEFAULT 0, use_date INTEGER NOT NULL DEFAULT 0, billing_address_id VARCHAR, nickname VARCHAR)BBiqhdWlA;4
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2045508060.00000000050E0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2970949355.0000000000071000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2104376356.0000000004CA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3307238594.00000000005C1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3180443430.00000000005C1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2106055470.0000000005010000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2201009619.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2395117452.0000000000F81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000D.00000002.2978648280.0000000000F81000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2151039852.00000000013A8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.3019312482.00000000061D0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2154963300.00000000013B0000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2166684188.00000000061F9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2151039852.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2166037687.00000000062DF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2245992576.000000000106C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2244509718.0000000005F35000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe "C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe"
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.youtube.com/
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.linkedin.com/login
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.facebook.com/video
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 --field-trial-handle=2240,i,13921391222393483847,4761716452769052744,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1936,i,9470944878376775622,9282164384408437932,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://accounts.google.com/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=2032,i,14926049002452561155,8058973995250590253,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1988,i,5261861388896760932,16148386498067072536,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=2000,i,1768132111865368519,4233067863729302844,262144 /prefetch:3
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=2040,i,4242032244317925949,13582260468211936677,262144 /prefetch:3
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1044 --field-trial-handle=1980,i,7429992928385286623,7793563262023415806,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2428 --field-trial-handle=2068,i,2594464745236278957,17215954924354817473,262144 /prefetch:3
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video --attempting-deelevation
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
Source: unknown Process created: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe
Source: unknown Process created: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2256 -parentBuildID 20230927232528 -prefsHandle 2156 -prefMapHandle 2172 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9141712d-886b-4ac1-89cb-a74a59119952} 10932 "\\.\pipe\gecko-crash-server-pipe.10932" 2ddd776e910 socket
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe "C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe "C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.youtube.com/
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.linkedin.com/login
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://accounts.google.com/
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 --field-trial-handle=2240,i,13921391222393483847,4761716452769052744,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1936,i,9470944878376775622,9282164384408437932,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=2032,i,14926049002452561155,8058973995250590253,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2028 --field-trial-handle=1988,i,5261861388896760932,16148386498067072536,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=2000,i,1768132111865368519,4233067863729302844,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=2040,i,4242032244317925949,13582260468211936677,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=1044 --field-trial-handle=1980,i,7429992928385286623,7793563262023415806,262144 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2428 --field-trial-handle=2068,i,2594464745236278957,17215954924354817473,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2256 -parentBuildID 20230927232528 -prefsHandle 2156 -prefMapHandle 2172 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9141712d-886b-4ac1-89cb-a74a59119952} 10932 "\\.\pipe\gecko-crash-server-pipe.10932" 2ddd776e910 socket
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2256 -parentBuildID 20230927232528 -prefsHandle 2156 -prefMapHandle 2172 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9141712d-886b-4ac1-89cb-a74a59119952} 10932 "\\.\pipe\gecko-crash-server-pipe.10932" 2ddd776e910 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A66AEDC-93C3-4ACC-BA96-08F5716429F7}\InProcServer32
Source: EdgeMS131.lnk.0.dr LNK file: ..\..\..\..\..\..\Local\Temp\EdgeMS131\EdgeMS131.exe
Source: YouTube.lnk.11.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.11.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.11.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.11.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.11.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Google Drive.lnk.11.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Static file information: File size 2352128 > 1048576
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Static PE information: Raw size of zspkhdwt is bigger than: 0x100000 < 0x1aa200

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Unpacked PE file: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe.70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zspkhdwt:EW;enueklum:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zspkhdwt:EW;enueklum:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.5c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zspkhdwt:EW;enueklum:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zspkhdwt:EW;enueklum:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 7.2.MPGPH131.exe.5c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zspkhdwt:EW;enueklum:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zspkhdwt:EW;enueklum:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 8.2.RageMP131.exe.f80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zspkhdwt:EW;enueklum:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zspkhdwt:EW;enueklum:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 13.2.RageMP131.exe.f80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;zspkhdwt:EW;enueklum:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;zspkhdwt:EW;enueklum:EW;.taggant:EW;
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Unpacked PE file: 47.2.MSIUpdaterV131.exe.e20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jiatpsvw:EW;ibedqclu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jiatpsvw:EW;ibedqclu:EW;.taggant:EW;
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Unpacked PE file: 48.2.MSIUpdaterV131.exe.e20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jiatpsvw:EW;ibedqclu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jiatpsvw:EW;ibedqclu:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: ladas[1].exe.7.dr Static PE information: real checksum: 0x24b810 should be: 0x248e7c
Source: amert[1].exe.0.dr Static PE information: real checksum: 0x1d7dc2 should be: 0x1ddbe2
Source: M2ZJsqaj4w0ejNj1ZjmR.exe.0.dr Static PE information: real checksum: 0x24b810 should be: 0x248e7c
Source: MSIUpdaterV131.exe.0.dr Static PE information: real checksum: 0x1d7dc2 should be: 0x1ddbe2
Source: plaza[1].exe.7.dr Static PE information: real checksum: 0x0 should be: 0x2f4b9e
Source: RageMP131.exe.0.dr Static PE information: real checksum: 0x241abf should be: 0x244cca
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: real checksum: 0x0 should be: 0x2f4b9e
Source: KMO45Hpdl31XslGofw5s.exe.7.dr Static PE information: real checksum: 0x24b810 should be: 0x248e7c
Source: JCaP5kVFkKWwN4QTjz7m.exe.7.dr Static PE information: real checksum: 0x1d7dc2 should be: 0x1ddbe2
Source: AdobeUpdaterV131.exe.0.dr Static PE information: real checksum: 0x1d7dc2 should be: 0x1ddbe2
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Static PE information: real checksum: 0x241abf should be: 0x244cca
Source: plaza[1].exe.0.dr Static PE information: real checksum: 0x0 should be: 0x2f4b9e
Source: EdgeMS131.exe.0.dr Static PE information: real checksum: 0x1d7dc2 should be: 0x1ddbe2
Source: amert[1].exe.7.dr Static PE information: real checksum: 0x1d7dc2 should be: 0x1ddbe2
Source: MPGPH131.exe.0.dr Static PE information: real checksum: 0x241abf should be: 0x244cca
Source: ladas[1].exe.0.dr Static PE information: real checksum: 0x24b810 should be: 0x248e7c
Source: MMTlnkECJXeMpKaFuTx0.exe.0.dr Static PE information: real checksum: 0x1d7dc2 should be: 0x1ddbe2
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: real checksum: 0x0 should be: 0x2f4b9e
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Static PE information: section name: .idata
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Static PE information: section name: zspkhdwt
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Static PE information: section name: enueklum
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .idata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: zspkhdwt
Source: RageMP131.exe.0.dr Static PE information: section name: enueklum
Source: RageMP131.exe.0.dr Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: zspkhdwt
Source: MPGPH131.exe.0.dr Static PE information: section name: enueklum
Source: MPGPH131.exe.0.dr Static PE information: section name: .taggant
Source: M2ZJsqaj4w0ejNj1ZjmR.exe.0.dr Static PE information: section name:
Source: M2ZJsqaj4w0ejNj1ZjmR.exe.0.dr Static PE information: section name: .idata
Source: M2ZJsqaj4w0ejNj1ZjmR.exe.0.dr Static PE information: section name:
Source: M2ZJsqaj4w0ejNj1ZjmR.exe.0.dr Static PE information: section name: nmikghcp
Source: M2ZJsqaj4w0ejNj1ZjmR.exe.0.dr Static PE information: section name: bwcyllhk
Source: M2ZJsqaj4w0ejNj1ZjmR.exe.0.dr Static PE information: section name: .taggant
Source: plaza[1].exe.0.dr Static PE information: section name:
Source: plaza[1].exe.0.dr Static PE information: section name:
Source: plaza[1].exe.0.dr Static PE information: section name:
Source: plaza[1].exe.0.dr Static PE information: section name:
Source: plaza[1].exe.0.dr Static PE information: section name:
Source: plaza[1].exe.0.dr Static PE information: section name:
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: section name:
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: section name:
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: section name:
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: section name:
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: section name:
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: section name:
Source: EdgeMS131.exe.0.dr Static PE information: section name:
Source: EdgeMS131.exe.0.dr Static PE information: section name: .idata
Source: EdgeMS131.exe.0.dr Static PE information: section name:
Source: EdgeMS131.exe.0.dr Static PE information: section name: jiatpsvw
Source: EdgeMS131.exe.0.dr Static PE information: section name: ibedqclu
Source: EdgeMS131.exe.0.dr Static PE information: section name: .taggant
Source: ladas[1].exe.0.dr Static PE information: section name:
Source: ladas[1].exe.0.dr Static PE information: section name: .idata
Source: ladas[1].exe.0.dr Static PE information: section name:
Source: ladas[1].exe.0.dr Static PE information: section name: nmikghcp
Source: ladas[1].exe.0.dr Static PE information: section name: bwcyllhk
Source: ladas[1].exe.0.dr Static PE information: section name: .taggant
Source: niks[1].exe.0.dr Static PE information: section name:
Source: niks[1].exe.0.dr Static PE information: section name: .idata
Source: niks[1].exe.0.dr Static PE information: section name:
Source: niks[1].exe.0.dr Static PE information: section name: eigmswwb
Source: niks[1].exe.0.dr Static PE information: section name: dwznybac
Source: odq7pDl9CbKN8ytjPilL.exe.0.dr Static PE information: section name:
Source: odq7pDl9CbKN8ytjPilL.exe.0.dr Static PE information: section name: .idata
Source: odq7pDl9CbKN8ytjPilL.exe.0.dr Static PE information: section name:
Source: odq7pDl9CbKN8ytjPilL.exe.0.dr Static PE information: section name: eigmswwb
Source: odq7pDl9CbKN8ytjPilL.exe.0.dr Static PE information: section name: dwznybac
Source: amert[1].exe.0.dr Static PE information: section name:
Source: amert[1].exe.0.dr Static PE information: section name: .idata
Source: amert[1].exe.0.dr Static PE information: section name:
Source: amert[1].exe.0.dr Static PE information: section name: jiatpsvw
Source: amert[1].exe.0.dr Static PE information: section name: ibedqclu
Source: amert[1].exe.0.dr Static PE information: section name: .taggant
Source: MMTlnkECJXeMpKaFuTx0.exe.0.dr Static PE information: section name:
Source: MMTlnkECJXeMpKaFuTx0.exe.0.dr Static PE information: section name: .idata
Source: MMTlnkECJXeMpKaFuTx0.exe.0.dr Static PE information: section name:
Source: MMTlnkECJXeMpKaFuTx0.exe.0.dr Static PE information: section name: jiatpsvw
Source: MMTlnkECJXeMpKaFuTx0.exe.0.dr Static PE information: section name: ibedqclu
Source: MMTlnkECJXeMpKaFuTx0.exe.0.dr Static PE information: section name: .taggant
Source: AdobeUpdaterV131.exe.0.dr Static PE information: section name:
Source: AdobeUpdaterV131.exe.0.dr Static PE information: section name: .idata
Source: AdobeUpdaterV131.exe.0.dr Static PE information: section name:
Source: AdobeUpdaterV131.exe.0.dr Static PE information: section name: jiatpsvw
Source: AdobeUpdaterV131.exe.0.dr Static PE information: section name: ibedqclu
Source: AdobeUpdaterV131.exe.0.dr Static PE information: section name: .taggant
Source: MSIUpdaterV131.exe.0.dr Static PE information: section name:
Source: MSIUpdaterV131.exe.0.dr Static PE information: section name: .idata
Source: MSIUpdaterV131.exe.0.dr Static PE information: section name:
Source: MSIUpdaterV131.exe.0.dr Static PE information: section name: jiatpsvw
Source: MSIUpdaterV131.exe.0.dr Static PE information: section name: ibedqclu
Source: MSIUpdaterV131.exe.0.dr Static PE information: section name: .taggant
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: section name:
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: section name:
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: section name:
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: section name:
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: section name:
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: section name:
Source: ladas[1].exe.7.dr Static PE information: section name:
Source: ladas[1].exe.7.dr Static PE information: section name: .idata
Source: ladas[1].exe.7.dr Static PE information: section name:
Source: ladas[1].exe.7.dr Static PE information: section name: nmikghcp
Source: ladas[1].exe.7.dr Static PE information: section name: bwcyllhk
Source: ladas[1].exe.7.dr Static PE information: section name: .taggant
Source: KMO45Hpdl31XslGofw5s.exe.7.dr Static PE information: section name:
Source: KMO45Hpdl31XslGofw5s.exe.7.dr Static PE information: section name: .idata
Source: KMO45Hpdl31XslGofw5s.exe.7.dr Static PE information: section name:
Source: KMO45Hpdl31XslGofw5s.exe.7.dr Static PE information: section name: nmikghcp
Source: KMO45Hpdl31XslGofw5s.exe.7.dr Static PE information: section name: bwcyllhk
Source: KMO45Hpdl31XslGofw5s.exe.7.dr Static PE information: section name: .taggant
Source: plaza[1].exe.7.dr Static PE information: section name:
Source: plaza[1].exe.7.dr Static PE information: section name:
Source: plaza[1].exe.7.dr Static PE information: section name:
Source: plaza[1].exe.7.dr Static PE information: section name:
Source: plaza[1].exe.7.dr Static PE information: section name:
Source: plaza[1].exe.7.dr Static PE information: section name:
Source: amert[1].exe.7.dr Static PE information: section name:
Source: amert[1].exe.7.dr Static PE information: section name: .idata
Source: amert[1].exe.7.dr Static PE information: section name:
Source: amert[1].exe.7.dr Static PE information: section name: jiatpsvw
Source: amert[1].exe.7.dr Static PE information: section name: ibedqclu
Source: amert[1].exe.7.dr Static PE information: section name: .taggant
Source: JCaP5kVFkKWwN4QTjz7m.exe.7.dr Static PE information: section name:
Source: JCaP5kVFkKWwN4QTjz7m.exe.7.dr Static PE information: section name: .idata
Source: JCaP5kVFkKWwN4QTjz7m.exe.7.dr Static PE information: section name:
Source: JCaP5kVFkKWwN4QTjz7m.exe.7.dr Static PE information: section name: jiatpsvw
Source: JCaP5kVFkKWwN4QTjz7m.exe.7.dr Static PE information: section name: ibedqclu
Source: JCaP5kVFkKWwN4QTjz7m.exe.7.dr Static PE information: section name: .taggant
Source: niks[1].exe.7.dr Static PE information: section name:
Source: niks[1].exe.7.dr Static PE information: section name: .idata
Source: niks[1].exe.7.dr Static PE information: section name:
Source: niks[1].exe.7.dr Static PE information: section name: eigmswwb
Source: niks[1].exe.7.dr Static PE information: section name: dwznybac
Source: q96TsIrSnwwVcxc6LZrs.exe.7.dr Static PE information: section name:
Source: q96TsIrSnwwVcxc6LZrs.exe.7.dr Static PE information: section name: .idata
Source: q96TsIrSnwwVcxc6LZrs.exe.7.dr Static PE information: section name:
Source: q96TsIrSnwwVcxc6LZrs.exe.7.dr Static PE information: section name: eigmswwb
Source: q96TsIrSnwwVcxc6LZrs.exe.7.dr Static PE information: section name: dwznybac
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0014D638 push ecx; ret 0_2_0014D64B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0069D638 push ecx; ret 6_2_0069D64B
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Static PE information: section name: entropy: 7.982187152740301
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Static PE information: section name: zspkhdwt entropy: 7.951893514526255
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.982187152740301
Source: RageMP131.exe.0.dr Static PE information: section name: zspkhdwt entropy: 7.951893514526255
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.982187152740301
Source: MPGPH131.exe.0.dr Static PE information: section name: zspkhdwt entropy: 7.951893514526255
Source: M2ZJsqaj4w0ejNj1ZjmR.exe.0.dr Static PE information: section name: entropy: 7.980897136740185
Source: M2ZJsqaj4w0ejNj1ZjmR.exe.0.dr Static PE information: section name: nmikghcp entropy: 7.95107520293005
Source: plaza[1].exe.0.dr Static PE information: section name: entropy: 7.999577524029749
Source: plaza[1].exe.0.dr Static PE information: section name: entropy: 7.995428029085435
Source: plaza[1].exe.0.dr Static PE information: section name: entropy: 7.318387778423504
Source: plaza[1].exe.0.dr Static PE information: section name: entropy: 7.979666551505917
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: section name: entropy: 7.999577524029749
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: section name: entropy: 7.995428029085435
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: section name: entropy: 7.318387778423504
Source: Zjn91qMhbLU5NsMO5rSM.exe.0.dr Static PE information: section name: entropy: 7.979666551505917
Source: EdgeMS131.exe.0.dr Static PE information: section name: entropy: 7.981719532244563
Source: EdgeMS131.exe.0.dr Static PE information: section name: jiatpsvw entropy: 7.953921327840455
Source: ladas[1].exe.0.dr Static PE information: section name: entropy: 7.980897136740185
Source: ladas[1].exe.0.dr Static PE information: section name: nmikghcp entropy: 7.95107520293005
Source: niks[1].exe.0.dr Static PE information: section name: entropy: 7.784411772660034
Source: niks[1].exe.0.dr Static PE information: section name: eigmswwb entropy: 7.953163061978292
Source: odq7pDl9CbKN8ytjPilL.exe.0.dr Static PE information: section name: entropy: 7.784411772660034
Source: odq7pDl9CbKN8ytjPilL.exe.0.dr Static PE information: section name: eigmswwb entropy: 7.953163061978292
Source: amert[1].exe.0.dr Static PE information: section name: entropy: 7.981719532244563
Source: amert[1].exe.0.dr Static PE information: section name: jiatpsvw entropy: 7.953921327840455
Source: MMTlnkECJXeMpKaFuTx0.exe.0.dr Static PE information: section name: entropy: 7.981719532244563
Source: MMTlnkECJXeMpKaFuTx0.exe.0.dr Static PE information: section name: jiatpsvw entropy: 7.953921327840455
Source: AdobeUpdaterV131.exe.0.dr Static PE information: section name: entropy: 7.981719532244563
Source: AdobeUpdaterV131.exe.0.dr Static PE information: section name: jiatpsvw entropy: 7.953921327840455
Source: MSIUpdaterV131.exe.0.dr Static PE information: section name: entropy: 7.981719532244563
Source: MSIUpdaterV131.exe.0.dr Static PE information: section name: jiatpsvw entropy: 7.953921327840455
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: section name: entropy: 7.999577524029749
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: section name: entropy: 7.995428029085435
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: section name: entropy: 7.318387778423504
Source: 1V9pvgNtHdfeQ8jORjMS.exe.7.dr Static PE information: section name: entropy: 7.979666551505917
Source: ladas[1].exe.7.dr Static PE information: section name: entropy: 7.980897136740185
Source: ladas[1].exe.7.dr Static PE information: section name: nmikghcp entropy: 7.95107520293005
Source: KMO45Hpdl31XslGofw5s.exe.7.dr Static PE information: section name: entropy: 7.980897136740185
Source: KMO45Hpdl31XslGofw5s.exe.7.dr Static PE information: section name: nmikghcp entropy: 7.95107520293005
Source: plaza[1].exe.7.dr Static PE information: section name: entropy: 7.999577524029749
Source: plaza[1].exe.7.dr Static PE information: section name: entropy: 7.995428029085435
Source: plaza[1].exe.7.dr Static PE information: section name: entropy: 7.318387778423504
Source: plaza[1].exe.7.dr Static PE information: section name: entropy: 7.979666551505917
Source: amert[1].exe.7.dr Static PE information: section name: entropy: 7.981719532244563
Source: amert[1].exe.7.dr Static PE information: section name: jiatpsvw entropy: 7.953921327840455
Source: JCaP5kVFkKWwN4QTjz7m.exe.7.dr Static PE information: section name: entropy: 7.981719532244563
Source: JCaP5kVFkKWwN4QTjz7m.exe.7.dr Static PE information: section name: jiatpsvw entropy: 7.953921327840455
Source: niks[1].exe.7.dr Static PE information: section name: entropy: 7.784411772660034
Source: niks[1].exe.7.dr Static PE information: section name: eigmswwb entropy: 7.953163061978292
Source: q96TsIrSnwwVcxc6LZrs.exe.7.dr Static PE information: section name: entropy: 7.784411772660034
Source: q96TsIrSnwwVcxc6LZrs.exe.7.dr Static PE information: section name: eigmswwb entropy: 7.953163061978292
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\niks[1].exe Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\amert[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\plaza[1].exe Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\fu[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\Users\user\AppData\Local\Temp\EdgeMS131\EdgeMS131.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\fu[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File created: C:\Users\user\AppData\Local\Temp\heidiL3Ewlk3eLqUV\q96TsIrSnwwVcxc6LZrs.exe Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\plaza[1].exe Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File created: C:\Users\user\AppData\Local\Temp\heidiL3Ewlk3eLqUV\gkUaYYAOOAAa9lIItUw6.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\M2ZJsqaj4w0ejNj1ZjmR.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\odq7pDl9CbKN8ytjPilL.exe Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\niks[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\Users\user\AppData\Local\AdobeUpdaterV131\AdobeUpdaterV131.exe Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File created: C:\Users\user\AppData\Local\Temp\heidiL3Ewlk3eLqUV\1V9pvgNtHdfeQ8jORjMS.exe Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File created: C:\Users\user\AppData\Local\Temp\heidiL3Ewlk3eLqUV\JCaP5kVFkKWwN4QTjz7m.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\Zjn91qMhbLU5NsMO5rSM.exe Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File created: C:\Users\user\AppData\Local\Temp\heidiL3Ewlk3eLqUV\KMO45Hpdl31XslGofw5s.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\amert[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ladas[1].exe Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ladas[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\MMTlnkECJXeMpKaFuTx0.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV131 Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: RegmonClass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: FilemonClass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Filemonclass
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Window searched: window name: FilemonClass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Window searched: window name: RegmonClass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Window searched: window name: FilemonClass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Window searched: window name: FilemonClass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Window searched: window name: RegmonClass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Window searched: window name: FilemonClass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Window searched: window name: PROCMON_WINDOW_CLASS
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS131.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV131 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV131 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000001AFC1E second address: 00000000001AFC29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F566D593656h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000032898D second address: 00000000003289B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A73h 0x00000007 jmp 00007F566CF64A6Fh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000031085D second address: 0000000000310871 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F566D593658h 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F566D593656h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000310871 second address: 0000000000310875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000032785F second address: 0000000000327863 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000327863 second address: 0000000000327897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jnc 00007F566CF64A66h 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F566CF64A79h 0x00000016 popad 0x00000017 pushad 0x00000018 jns 00007F566CF64A66h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003279E9 second address: 00000000003279ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000327CF0 second address: 0000000000327CF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000327CF4 second address: 0000000000327D0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F566D593662h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000327D0C second address: 0000000000327D12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000327D12 second address: 0000000000327D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000327D16 second address: 0000000000327D1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000328176 second address: 000000000032817C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000032B067 second address: 000000000032B0B6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F566CF64A6Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d clc 0x0000000e push 00000000h 0x00000010 mov dword ptr [ebp+122D1A2Eh], eax 0x00000016 call 00007F566CF64A69h 0x0000001b je 00007F566CF64A76h 0x00000021 jmp 00007F566CF64A70h 0x00000026 push eax 0x00000027 push ebx 0x00000028 jnl 00007F566CF64A68h 0x0000002e pushad 0x0000002f popad 0x00000030 pop ebx 0x00000031 mov eax, dword ptr [esp+04h] 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000032B0B6 second address: 000000000032B0BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000032B0BA second address: 000000000032B0C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007F566CF64A66h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000032B0C8 second address: 000000000032B0CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000032B0CC second address: 000000000032B163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 ja 00007F566CF64A6Eh 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push edi 0x00000014 js 00007F566CF64A68h 0x0000001a pop edi 0x0000001b pop eax 0x0000001c sub dword ptr [ebp+122D29CFh], edi 0x00000022 push 00000003h 0x00000024 mov dword ptr [ebp+122D39ACh], edx 0x0000002a push 00000000h 0x0000002c call 00007F566CF64A73h 0x00000031 call 00007F566CF64A77h 0x00000036 jnp 00007F566CF64A66h 0x0000003c pop ecx 0x0000003d pop ecx 0x0000003e push 00000003h 0x00000040 or dword ptr [ebp+122D279Ah], ebx 0x00000046 call 00007F566CF64A69h 0x0000004b jmp 00007F566CF64A78h 0x00000050 push eax 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000032B163 second address: 000000000032B167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000032B167 second address: 000000000032B16B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000032B16B second address: 000000000032B17E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push esi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000032B17E second address: 000000000032B205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 mov eax, dword ptr [eax] 0x0000000a jbe 00007F566CF64A6Eh 0x00000010 jnc 00007F566CF64A68h 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a jmp 00007F566CF64A77h 0x0000001f pop eax 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 call 00007F566CF64A68h 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d add dword ptr [esp+04h], 0000001Ah 0x00000035 inc eax 0x00000036 push eax 0x00000037 ret 0x00000038 pop eax 0x00000039 ret 0x0000003a mov si, ED60h 0x0000003e lea ebx, dword ptr [ebp+1244EF4Bh] 0x00000044 mov esi, dword ptr [ebp+122D2B49h] 0x0000004a pushad 0x0000004b mov dword ptr [ebp+122D29CFh], esi 0x00000051 sub edx, dword ptr [ebp+122D2C41h] 0x00000057 popad 0x00000058 xchg eax, ebx 0x00000059 jl 00007F566CF64A7Ch 0x0000005f push eax 0x00000060 push edx 0x00000061 jmp 00007F566CF64A6Ah 0x00000066 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000032B3EB second address: 000000000032B410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F566D593668h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000032B410 second address: 000000000032B416 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034D1BF second address: 000000000034D1C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034D1C5 second address: 000000000034D1CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034D1CA second address: 000000000034D1CF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034D1CF second address: 000000000034D1D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034D1D8 second address: 000000000034D1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034D1DC second address: 000000000034D1EF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F566CF64AA6h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034D1EF second address: 000000000034D218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F566D593656h 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007F566D59365Eh 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 ja 00007F566D593656h 0x0000001a ja 00007F566D593656h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034D218 second address: 000000000034D226 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A6Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034AF0F second address: 000000000034AF3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F566D59366Fh 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F566D593656h 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034AF3C second address: 000000000034AF40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034B637 second address: 000000000034B63B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034B63B second address: 000000000034B63F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034B7B6 second address: 000000000034B7C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 js 00007F566D593656h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034B92F second address: 000000000034B93C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jl 00007F566CF64A66h 0x00000009 pop ebx 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034BABF second address: 000000000034BAD6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593663h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034BAD6 second address: 000000000034BADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034BD9D second address: 000000000034BDA6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034C316 second address: 000000000034C32E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F566CF64A6Eh 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034CD2E second address: 000000000034CD3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F566D593658h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034CD3A second address: 000000000034CD52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A72h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000034D025 second address: 000000000034D029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000354C48 second address: 0000000000354C52 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F566CF64A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000354C52 second address: 0000000000354C6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F566D593666h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000032151F second address: 000000000032152D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jns 00007F566CF64A66h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000032152D second address: 0000000000321541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 jmp 00007F566D59365Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000358003 second address: 0000000000358009 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000358009 second address: 000000000035801D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F566D59365Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035844D second address: 0000000000358453 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000358453 second address: 0000000000358460 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jl 00007F566D593656h 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035888E second address: 00000000003588CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F566CF64A6Eh 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F566CF64A6Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F566CF64A77h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003588CD second address: 00000000003588E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D59365Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003588E0 second address: 00000000003588E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003588E6 second address: 00000000003588EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003588EA second address: 0000000000358901 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F566CF64A6Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035B661 second address: 000000000035B670 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035B670 second address: 000000000035B676 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035B676 second address: 000000000035B67B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035B67B second address: 000000000035B692 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c ja 00007F566CF64A68h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035B692 second address: 000000000035B6F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [eax] 0x0000000a push edx 0x0000000b jng 00007F566D593658h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 jmp 00007F566D59365Eh 0x0000001b pop eax 0x0000001c push 00000000h 0x0000001e push edi 0x0000001f call 00007F566D593658h 0x00000024 pop edi 0x00000025 mov dword ptr [esp+04h], edi 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc edi 0x00000032 push edi 0x00000033 ret 0x00000034 pop edi 0x00000035 ret 0x00000036 mov edi, dword ptr [ebp+122D2AD1h] 0x0000003c call 00007F566D593659h 0x00000041 push eax 0x00000042 push edx 0x00000043 jg 00007F566D593658h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035B6F2 second address: 000000000035B6F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035B6F7 second address: 000000000035B6FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035B6FD second address: 000000000035B756 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pushad 0x0000000e jne 00007F566CF64A66h 0x00000014 jmp 00007F566CF64A78h 0x00000019 popad 0x0000001a popad 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f push edx 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007F566CF64A76h 0x00000028 popad 0x00000029 pop edx 0x0000002a mov eax, dword ptr [eax] 0x0000002c pushad 0x0000002d jo 00007F566CF64A6Ch 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035B756 second address: 000000000035B77B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F566D593660h 0x00000009 popad 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jng 00007F566D593656h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035B77B second address: 000000000035B786 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F566CF64A66h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035B8EB second address: 000000000035B8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035B8EF second address: 000000000035B8F9 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F566CF64A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035BA77 second address: 000000000035BA7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035BB83 second address: 000000000035BB88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035C3B5 second address: 000000000035C3B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035C6D5 second address: 000000000035C6DF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F566CF64A6Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035C867 second address: 000000000035C87E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F566D59365Ah 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035C87E second address: 000000000035C8C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edx 0x0000000a call 00007F566CF64A68h 0x0000000f pop edx 0x00000010 mov dword ptr [esp+04h], edx 0x00000014 add dword ptr [esp+04h], 00000015h 0x0000001c inc edx 0x0000001d push edx 0x0000001e ret 0x0000001f pop edx 0x00000020 ret 0x00000021 jmp 00007F566CF64A6Eh 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F566CF64A76h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035C8C9 second address: 000000000035C8D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F566D593656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035CD61 second address: 000000000035CD94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A6Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jno 00007F566CF64A6Bh 0x00000012 push 00000000h 0x00000014 or dword ptr [ebp+1244988Dh], edi 0x0000001a push 00000000h 0x0000001c mov si, dx 0x0000001f xchg eax, ebx 0x00000020 push edx 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035CD94 second address: 000000000035CDB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 jo 00007F566D59366Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F566D593660h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035D693 second address: 000000000035D697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035F054 second address: 000000000035F069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F566D593661h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035EDEF second address: 000000000035EDF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035EDF4 second address: 000000000035EDFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035FA0D second address: 000000000035FA8C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F566CF64A74h 0x00000008 jmp 00007F566CF64A6Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 push ebx 0x00000013 and esi, dword ptr [ebp+122D3A02h] 0x00000019 pop edi 0x0000001a call 00007F566CF64A6Bh 0x0000001f call 00007F566CF64A74h 0x00000024 sub dword ptr [ebp+1245011Dh], ecx 0x0000002a pop esi 0x0000002b pop esi 0x0000002c push 00000000h 0x0000002e clc 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push edx 0x00000034 call 00007F566CF64A68h 0x00000039 pop edx 0x0000003a mov dword ptr [esp+04h], edx 0x0000003e add dword ptr [esp+04h], 0000001Bh 0x00000046 inc edx 0x00000047 push edx 0x00000048 ret 0x00000049 pop edx 0x0000004a ret 0x0000004b mov dword ptr [ebp+1246154Bh], edx 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 push edi 0x00000057 pop edi 0x00000058 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035FA8C second address: 000000000035FA9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D59365Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035FA9F second address: 000000000035FAA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035FAA5 second address: 000000000035FAA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000361036 second address: 000000000036106C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F566CF64A68h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov dword ptr [ebp+12460182h], ebx 0x00000015 push 00000000h 0x00000017 jbe 00007F566CF64A6Ah 0x0000001d mov si, A556h 0x00000021 push 00000000h 0x00000023 pushad 0x00000024 stc 0x00000025 popad 0x00000026 xchg eax, ebx 0x00000027 pushad 0x00000028 pushad 0x00000029 push ecx 0x0000002a pop ecx 0x0000002b jp 00007F566CF64A66h 0x00000031 popad 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036106C second address: 0000000000361070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003619F3 second address: 0000000000361A9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F566CF64A78h 0x00000008 jno 00007F566CF64A66h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007F566CF64A68h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e pushad 0x0000002f call 00007F566CF64A6Ah 0x00000034 mov dword ptr [ebp+12461136h], ecx 0x0000003a pop edx 0x0000003b sub dword ptr [ebp+1247632Dh], eax 0x00000041 popad 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push esi 0x00000047 call 00007F566CF64A68h 0x0000004c pop esi 0x0000004d mov dword ptr [esp+04h], esi 0x00000051 add dword ptr [esp+04h], 00000018h 0x00000059 inc esi 0x0000005a push esi 0x0000005b ret 0x0000005c pop esi 0x0000005d ret 0x0000005e push 00000000h 0x00000060 call 00007F566CF64A74h 0x00000065 xor di, 6FA7h 0x0000006a pop edi 0x0000006b push eax 0x0000006c pushad 0x0000006d push eax 0x0000006e push edx 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000361A9A second address: 0000000000361A9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003621AF second address: 00000000003621BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003621BC second address: 00000000003621C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000363BE5 second address: 0000000000363BE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000363BE9 second address: 0000000000363BF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edi 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003651BA second address: 00000000003651D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F566CF64A72h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003651D0 second address: 00000000003651EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F566D593668h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003651EE second address: 0000000000365213 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007F566CF64A6Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000365213 second address: 0000000000365231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F566D593663h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000365231 second address: 0000000000365235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000365235 second address: 0000000000365245 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F566D593656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036782A second address: 0000000000367840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F566CF64A72h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000367840 second address: 0000000000367844 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000365A39 second address: 0000000000365A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000031C50B second address: 000000000031C50F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000367E0E second address: 0000000000367E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000367E12 second address: 0000000000367E62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F566D59365Ah 0x0000000b popad 0x0000000c push eax 0x0000000d jmp 00007F566D593663h 0x00000012 nop 0x00000013 jmp 00007F566D59365Bh 0x00000018 add bx, AB1Ch 0x0000001d push 00000000h 0x0000001f jng 00007F566D59365Ah 0x00000025 push 00000000h 0x00000027 add ebx, 79ACA321h 0x0000002d push eax 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 push ecx 0x00000032 pop ecx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000367E62 second address: 0000000000367E66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000367FA6 second address: 0000000000367FAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000367FAA second address: 0000000000367FB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F566CF64A66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000367FB4 second address: 0000000000367FB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000369C8A second address: 0000000000369C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000369C8E second address: 0000000000369CA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593663h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000369CA5 second address: 0000000000369CC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A6Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jne 00007F566CF64A68h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000368ED8 second address: 0000000000368EDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000368EDE second address: 0000000000368EE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036AE07 second address: 000000000036AE30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593665h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b js 00007F566D59367Ah 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007F566D593656h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036B0C1 second address: 000000000036B0C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036B0C5 second address: 000000000036B0E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F566D593667h 0x0000000f jmp 00007F566D593661h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036CF5F second address: 000000000036CF63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036CF63 second address: 000000000036CF7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593664h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036CF7B second address: 000000000036D003 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F566CF64A68h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F566CF64A71h 0x00000011 pushad 0x00000012 jmp 00007F566CF64A74h 0x00000017 push edx 0x00000018 pop edx 0x00000019 popad 0x0000001a popad 0x0000001b nop 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007F566CF64A68h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 00000019h 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 mov dword ptr [ebp+122D186Ch], edx 0x0000003c push 00000000h 0x0000003e xor edi, dword ptr [ebp+122D2DA5h] 0x00000044 or dword ptr [ebp+122D5A14h], edx 0x0000004a push 00000000h 0x0000004c mov dword ptr [ebp+122D3980h], esi 0x00000052 jnp 00007F566CF64A6Ch 0x00000058 xor ebx, dword ptr [ebp+122D1A48h] 0x0000005e push eax 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 push edx 0x00000063 pop edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036D003 second address: 000000000036D007 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036D123 second address: 000000000036D129 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036D129 second address: 000000000036D13F instructions: 0x00000000 rdtsc 0x00000002 jo 00007F566D59365Ch 0x00000008 jnl 00007F566D593656h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036D1F0 second address: 000000000036D206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F566CF64A6Eh 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036D206 second address: 000000000036D21E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F566D59365Bh 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036DFE0 second address: 000000000036E086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007F566CF64A68h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 add ebx, dword ptr [ebp+122D5A6Eh] 0x00000029 push dword ptr fs:[00000000h] 0x00000030 add bh, 0000004Bh 0x00000033 push ecx 0x00000034 and ebx, dword ptr [ebp+122D2DD1h] 0x0000003a pop edi 0x0000003b mov dword ptr fs:[00000000h], esp 0x00000042 mov dword ptr [ebp+122D3980h], ebx 0x00000048 mov eax, dword ptr [ebp+122D0AADh] 0x0000004e jmp 00007F566CF64A73h 0x00000053 push FFFFFFFFh 0x00000055 push 00000000h 0x00000057 push ecx 0x00000058 call 00007F566CF64A68h 0x0000005d pop ecx 0x0000005e mov dword ptr [esp+04h], ecx 0x00000062 add dword ptr [esp+04h], 0000001Ah 0x0000006a inc ecx 0x0000006b push ecx 0x0000006c ret 0x0000006d pop ecx 0x0000006e ret 0x0000006f call 00007F566CF64A6Eh 0x00000074 sbb bx, AB0Fh 0x00000079 pop ebx 0x0000007a nop 0x0000007b push eax 0x0000007c push edx 0x0000007d pushad 0x0000007e push eax 0x0000007f push edx 0x00000080 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036E086 second address: 000000000036E09F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F566D593664h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036E09F second address: 000000000036E0A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036FE15 second address: 000000000036FE19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036FE19 second address: 000000000036FE1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036FE1F second address: 000000000036FE24 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036EFDC second address: 000000000036EFE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F566CF64A66h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000370DBB second address: 0000000000370DC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000370DC1 second address: 0000000000370DC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000036FF6F second address: 000000000036FF79 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F566D593656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000370FA8 second address: 0000000000370FAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000370FAC second address: 0000000000370FBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F566D59365Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000370FBE second address: 0000000000370FC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000371084 second address: 0000000000371088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000372F6A second address: 0000000000372F6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000373F09 second address: 0000000000373F17 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F566D593656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000373F17 second address: 0000000000373F1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000373173 second address: 0000000000373177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000373177 second address: 000000000037317D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003752BA second address: 00000000003752C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000376244 second address: 000000000037624E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F566CF64A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000037F4E9 second address: 000000000037F50B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F566D593667h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000037F50B second address: 000000000037F50F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000037F50F second address: 000000000037F515 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000037F515 second address: 000000000037F51C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000037EFD4 second address: 000000000037EFDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000037EFDA second address: 000000000037EFFB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F566CF64A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F566CF64A74h 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000038345D second address: 0000000000383480 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F566D59365Bh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jo 00007F566D593656h 0x0000001a push eax 0x0000001b pop eax 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003835F1 second address: 000000000038360F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F566CF64A68h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e pushad 0x0000000f pushad 0x00000010 js 00007F566CF64A66h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000383698 second address: 000000000038369C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000038369C second address: 00000000003836A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003836A6 second address: 00000000003836AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000038A17B second address: 000000000038A183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000038A183 second address: 000000000038A18A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000038A18A second address: 000000000038A19F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b js 00007F566CF64A66h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000038A19F second address: 000000000038A1B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F566D593668h 0x0000000b jmp 00007F566D59365Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000038A1B8 second address: 000000000038A1BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000038A304 second address: 000000000038A30A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000038A30A second address: 000000000038A314 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000038A314 second address: 000000000038A31A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000038A31A second address: 000000000038A31E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000038A4A0 second address: 000000000038A4FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F566D593664h 0x00000008 jp 00007F566D593656h 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 jg 00007F566D593658h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c pushad 0x0000001d jmp 00007F566D593665h 0x00000022 push edi 0x00000023 pop edi 0x00000024 jng 00007F566D593656h 0x0000002a popad 0x0000002b jmp 00007F566D593661h 0x00000030 pushad 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000038A4FE second address: 000000000038A518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F566CF64A74h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000038A518 second address: 000000000038A525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F566D593656h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000038A68B second address: 000000000038A690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000038A690 second address: 000000000038A69A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F566D593656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000038A7F6 second address: 000000000038A7FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000038A7FC second address: 000000000038A800 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000038D99A second address: 000000000038D99F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000030ED07 second address: 000000000030ED0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003230AA second address: 00000000003230F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F566CF64A70h 0x0000000e jmp 00007F566CF64A71h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 jmp 00007F566CF64A79h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003920F3 second address: 00000000003920F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003920F7 second address: 0000000000392101 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F566CF64A66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000392101 second address: 0000000000392107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000392107 second address: 000000000039210D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000039210D second address: 0000000000392113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000392113 second address: 0000000000392117 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035A2F1 second address: 000000000035A2F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035A2F7 second address: 000000000035A2FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035A2FB second address: 000000000035A312 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F566D59365Ch 0x00000011 jbe 00007F566D593656h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035A75B second address: 000000000035A765 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F566CF64A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035A765 second address: 000000000035A76B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035A9BB second address: 000000000035A9C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035AB56 second address: 000000000035AB60 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F566D59365Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035B367 second address: 0000000000342339 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F566CF64A75h 0x0000000b popad 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D1D2Bh], eax 0x00000013 mov edx, dword ptr [ebp+122D2C7Dh] 0x00000019 lea eax, dword ptr [ebp+1247DE66h] 0x0000001f mov ecx, dword ptr [ebp+122D2B9Dh] 0x00000025 push eax 0x00000026 jmp 00007F566CF64A6Bh 0x0000002b mov dword ptr [esp], eax 0x0000002e mov ecx, dword ptr [ebp+122D2C01h] 0x00000034 push ebx 0x00000035 sub dword ptr [ebp+122D2A2Eh], edx 0x0000003b pop edx 0x0000003c lea eax, dword ptr [ebp+1247DE22h] 0x00000042 jno 00007F566CF64A6Ah 0x00000048 nop 0x00000049 jmp 00007F566CF64A6Ch 0x0000004e push eax 0x0000004f push esi 0x00000050 jnp 00007F566CF64A6Ch 0x00000056 pop esi 0x00000057 nop 0x00000058 movsx edi, bx 0x0000005b call dword ptr [ebp+122D3B0Bh] 0x00000061 pushad 0x00000062 jmp 00007F566CF64A71h 0x00000067 pushad 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000342339 second address: 0000000000342352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F566D593663h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003923B7 second address: 00000000003923BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003923BD second address: 00000000003923C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000392695 second address: 0000000000392699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000392957 second address: 000000000039296B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007F566D593656h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000039296B second address: 0000000000392971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000392971 second address: 000000000039298F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F566D593669h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000039298F second address: 000000000039299F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F566CF64A66h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000392B13 second address: 0000000000392B48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593663h 0x00000007 jmp 00007F566D593666h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jl 00007F566D59365Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000392B48 second address: 0000000000392B4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000392B4C second address: 0000000000392B67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F566D593665h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000392B67 second address: 0000000000392B88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F566CF64A71h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007F566CF64A66h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000392CFD second address: 0000000000392D17 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F566D593656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F566D593660h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000392D17 second address: 0000000000392D1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000392D1D second address: 0000000000392D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000392D23 second address: 0000000000392D27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000392D27 second address: 0000000000392D2B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000039902B second address: 000000000039902F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000039902F second address: 0000000000399033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000399033 second address: 000000000039905F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F566CF64A7Eh 0x0000000c je 00007F566CF64A6Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003981DC second address: 00000000003981F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D59365Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F566D593656h 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003981F4 second address: 00000000003981F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000398345 second address: 000000000039836D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593665h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e jl 00007F566D593656h 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003987C2 second address: 00000000003987C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003987C6 second address: 00000000003987DF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F566D593656h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 ja 00007F566D593656h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003987DF second address: 0000000000398806 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A6Ch 0x00000007 jmp 00007F566CF64A73h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000398806 second address: 000000000039880A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000039880A second address: 000000000039880E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000039880E second address: 0000000000398816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000398816 second address: 0000000000398824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F566CF64A6Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000398CE9 second address: 0000000000398CED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000398CED second address: 0000000000398CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A3176 second address: 00000000003A3194 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F566D593660h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A1BCC second address: 00000000003A1BD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A1BD0 second address: 00000000003A1BD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A1D22 second address: 00000000003A1D59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 jo 00007F566CF64A66h 0x0000000d popad 0x0000000e jno 00007F566CF64A79h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jns 00007F566CF64A6Ch 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A257D second address: 00000000003A2587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A2587 second address: 00000000003A258C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A258C second address: 00000000003A2595 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A2595 second address: 00000000003A259D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A259D second address: 00000000003A25A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A29CB second address: 00000000003A29EC instructions: 0x00000000 rdtsc 0x00000002 jg 00007F566CF64A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F566CF64A75h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A29EC second address: 00000000003A2A09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593669h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A2A09 second address: 00000000003A2A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A2A0F second address: 00000000003A2A14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A2A14 second address: 00000000003A2A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F566CF64A75h 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A2A38 second address: 00000000003A2A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A5696 second address: 00000000003A569A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A57E5 second address: 00000000003A57F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007F566D593656h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A8E0D second address: 00000000003A8E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A8747 second address: 00000000003A874B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A874B second address: 00000000003A875F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A875F second address: 00000000003A8789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F566D593666h 0x0000000d popad 0x0000000e push edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 je 00007F566D593656h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003A8A3D second address: 00000000003A8A4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A6Dh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003ADFD1 second address: 00000000003ADFE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F566D593661h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003AD202 second address: 00000000003AD248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F566CF64A77h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007F566CF64A77h 0x00000010 popad 0x00000011 jmp 00007F566CF64A71h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003AD618 second address: 00000000003AD635 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jl 00007F566D59366Ch 0x0000000d jno 00007F566D593658h 0x00000013 push eax 0x00000014 push edx 0x00000015 jng 00007F566D593656h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003AD7B3 second address: 00000000003AD7B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003AD98F second address: 00000000003AD9B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593667h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F566D593656h 0x00000011 ja 00007F566D593656h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003AD9B8 second address: 00000000003ADA05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F566CF64A6Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007F566CF64A68h 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007F566CF64A74h 0x00000019 jns 00007F566CF64A66h 0x0000001f push eax 0x00000020 pop eax 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 popad 0x00000025 push esi 0x00000026 push eax 0x00000027 push edx 0x00000028 jns 00007F566CF64A66h 0x0000002e jl 00007F566CF64A66h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003ADB82 second address: 00000000003ADB8C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F566D593656h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003ADB8C second address: 00000000003ADB92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003B2BDD second address: 00000000003B2BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003B2BE3 second address: 00000000003B2BE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003B2BE8 second address: 00000000003B2BF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F566D593656h 0x0000000a jbe 00007F566D593656h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003B2BF8 second address: 00000000003B2C06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003B2F29 second address: 00000000003B2F2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003B2F2E second address: 00000000003B2F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F566CF64A66h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F566CF64A73h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035AF6B second address: 000000000035AF71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035AF71 second address: 000000000035AFE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F566CF64A68h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 jmp 00007F566CF64A6Fh 0x00000027 push 0000001Eh 0x00000029 push 00000000h 0x0000002b push eax 0x0000002c call 00007F566CF64A68h 0x00000031 pop eax 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 add dword ptr [esp+04h], 0000001Dh 0x0000003e inc eax 0x0000003f push eax 0x00000040 ret 0x00000041 pop eax 0x00000042 ret 0x00000043 mov edx, ebx 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F566CF64A77h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003B31D6 second address: 00000000003B3201 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F566D593656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jng 00007F566D593656h 0x00000011 jmp 00007F566D593663h 0x00000016 jnc 00007F566D593656h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003B80E8 second address: 00000000003B812D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A6Fh 0x00000007 pushad 0x00000008 jmp 00007F566CF64A78h 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F566CF64A6Dh 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 jl 00007F566CF64A6Ch 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003B812D second address: 00000000003B8184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jnl 00007F566D593656h 0x0000000b jns 00007F566D593656h 0x00000011 pop eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 jmp 00007F566D593667h 0x0000001a pop edx 0x0000001b pushad 0x0000001c jmp 00007F566D593664h 0x00000021 jmp 00007F566D593663h 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003B77CB second address: 00000000003B77E0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F566CF64A66h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jno 00007F566CF64A66h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003B77E0 second address: 00000000003B77E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003174AF second address: 00000000003174B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003174B5 second address: 00000000003174B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003174B9 second address: 00000000003174C3 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F566CF64A66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003174C3 second address: 00000000003174CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003174CF second address: 00000000003174D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003174D3 second address: 00000000003174EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F566D59365Eh 0x0000000d popad 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003174EF second address: 00000000003174F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003174F3 second address: 000000000031750C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F566D59365Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003BEF49 second address: 00000000003BEF4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003BEF4D second address: 00000000003BEF5F instructions: 0x00000000 rdtsc 0x00000002 jng 00007F566D593656h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003BF0B2 second address: 00000000003BF0E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F566CF64A75h 0x00000009 pop esi 0x0000000a jne 00007F566CF64A90h 0x00000010 jne 00007F566CF64A6Eh 0x00000016 pushad 0x00000017 popad 0x00000018 jns 00007F566CF64A66h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003BF0E6 second address: 00000000003BF0EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003C02B0 second address: 00000000003C02CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jne 00007F566CF64A66h 0x0000000e jg 00007F566CF64A66h 0x00000014 jbe 00007F566CF64A66h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003C02CB second address: 00000000003C02D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003C905F second address: 00000000003C908C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F566CF64A75h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e jp 00007F566CF64A66h 0x00000014 pushad 0x00000015 popad 0x00000016 jbe 00007F566CF64A66h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003C908C second address: 00000000003C90A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F566D593666h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003C90A6 second address: 00000000003C90C6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F566CF64A76h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003C922B second address: 00000000003C923E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F566D59365Eh 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003C9373 second address: 00000000003C9381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F566CF64A66h 0x0000000a popad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003C98A3 second address: 00000000003C98A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003C98A7 second address: 00000000003C98AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003D2F38 second address: 00000000003D2F4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jp 00007F566D593656h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003D118B second address: 00000000003D1194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003D1194 second address: 00000000003D119E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F566D593656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003D119E second address: 00000000003D11AE instructions: 0x00000000 rdtsc 0x00000002 jng 00007F566CF64A66h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003D11AE second address: 00000000003D11E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F566D593669h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F566D59365Fh 0x00000012 jng 00007F566D593656h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003D1632 second address: 00000000003D164A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F566CF64A6Ch 0x0000000a pop ebx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003D1A59 second address: 00000000003D1A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F566D593656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003D1A63 second address: 00000000003D1A90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F566CF64A70h 0x0000000b pushad 0x0000000c ja 00007F566CF64A66h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 popad 0x00000016 ja 00007F566CF64A88h 0x0000001c push eax 0x0000001d push edx 0x0000001e push edi 0x0000001f pop edi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003D1A90 second address: 00000000003D1A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003D1D9C second address: 00000000003D1DB0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F566CF64A6Eh 0x0000000c pushad 0x0000000d popad 0x0000000e jc 00007F566CF64A66h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003D1F10 second address: 00000000003D1F41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push edx 0x0000000b jnc 00007F566D593656h 0x00000011 jmp 00007F566D593660h 0x00000016 pop edx 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a push edx 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d push esi 0x0000001e pop esi 0x0000001f pop edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003D2600 second address: 00000000003D2606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003D0B94 second address: 00000000003D0B98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003D0B98 second address: 00000000003D0BD1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F566CF64A66h 0x00000008 jbe 00007F566CF64A66h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F566CF64A76h 0x00000015 push ebx 0x00000016 jmp 00007F566CF64A6Ch 0x0000001b push esi 0x0000001c pop esi 0x0000001d pop ebx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003D96D9 second address: 00000000003D96EA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push ebx 0x00000009 jl 00007F566D593656h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003D9893 second address: 00000000003D98A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F566CF64A6Bh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003E6968 second address: 00000000003E696C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003E696C second address: 00000000003E69A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F566CF64A66h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c js 00007F566CF64A73h 0x00000012 jmp 00007F566CF64A6Bh 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 jmp 00007F566CF64A73h 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 push edx 0x00000026 pop edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003E69A7 second address: 00000000003E69BB instructions: 0x00000000 rdtsc 0x00000002 jp 00007F566D593656h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007F566D593662h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003E69BB second address: 00000000003E69C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000003E69C1 second address: 00000000003E69C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000040129B second address: 00000000004012A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jnp 00007F566CF64A66h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000401855 second address: 0000000000401859 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000401859 second address: 0000000000401871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F566CF64A6Eh 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000401B2F second address: 0000000000401B3B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F566D593656h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000401B3B second address: 0000000000401B54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F566CF64A75h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000401B54 second address: 0000000000401B5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000401B5A second address: 0000000000401B64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000401B64 second address: 0000000000401B6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000401B6A second address: 0000000000401B6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000040280A second address: 000000000040280E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000040280E second address: 0000000000402825 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A73h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000004088DD second address: 0000000000408909 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F566D593664h 0x0000000f jmp 00007F566D59365Eh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000408909 second address: 0000000000408926 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A77h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000408926 second address: 000000000040892C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000421695 second address: 00000000004216B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 ja 00007F566CF64A66h 0x0000000c jmp 00007F566CF64A75h 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000004216B7 second address: 00000000004216D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F566D593656h 0x00000009 jnc 00007F566D593656h 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 je 00007F566D593662h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000004216D1 second address: 00000000004216D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000430F81 second address: 0000000000430F86 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000430F86 second address: 0000000000430F9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F566CF64A66h 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jbe 00007F566CF64A68h 0x00000014 push edx 0x00000015 pop edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000433B00 second address: 0000000000433B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000045B1C9 second address: 000000000045B201 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A70h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007F566CF64A66h 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F566CF64A6Dh 0x00000017 popad 0x00000018 jmp 00007F566CF64A6Ah 0x0000001d push esi 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000045B201 second address: 000000000045B20B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 pushad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000045A122 second address: 000000000045A128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000045A128 second address: 000000000045A14A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F566D593664h 0x0000000a pushad 0x0000000b popad 0x0000000c jnl 00007F566D593656h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000045A2A5 second address: 000000000045A2B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000045A2B0 second address: 000000000045A2B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000045A2B6 second address: 000000000045A2C8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F566CF64A66h 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000045A439 second address: 000000000045A443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000045A5B2 second address: 000000000045A5BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007F566CF64A66h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000045A5BE second address: 000000000045A611 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D59365Bh 0x00000007 jg 00007F566D593656h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jbe 00007F566D593656h 0x00000016 jmp 00007F566D593661h 0x0000001b jnc 00007F566D593656h 0x00000021 jns 00007F566D593656h 0x00000027 popad 0x00000028 popad 0x00000029 pushad 0x0000002a jmp 00007F566D59365Dh 0x0000002f push eax 0x00000030 push edx 0x00000031 js 00007F566D593656h 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000045AA8A second address: 000000000045AAA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F566CF64A72h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000045ABF5 second address: 000000000045ABFF instructions: 0x00000000 rdtsc 0x00000002 je 00007F566D593656h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000045ABFF second address: 000000000045AC0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F566CF64A6Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000045AEC4 second address: 000000000045AEC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000046099F second address: 00000000004609CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A70h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp], eax 0x0000000d mov dx, 0020h 0x00000011 push 00000004h 0x00000013 sub dword ptr [ebp+1244D23Bh], eax 0x00000019 sub dh, FFFFFFECh 0x0000001c push 8B5B53FCh 0x00000021 push edx 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000046240C second address: 0000000000462412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000462412 second address: 0000000000462418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000004644F7 second address: 000000000046451D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593666h 0x00000007 jmp 00007F566D59365Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000046451D second address: 0000000000464527 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F566CF64A66h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000000464527 second address: 0000000000464531 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F566D593656h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052D072F second address: 00000000052D0735 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052D0735 second address: 00000000052D0739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052D0739 second address: 00000000052D073D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052D073D second address: 00000000052D0754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F566D59365Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052A0EFB second address: 00000000052A0EFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052A0EFF second address: 00000000052A0F05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052A0F05 second address: 00000000052A0F14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F566CF64A6Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052A0F14 second address: 00000000052A0F18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052A0F18 second address: 00000000052A0F4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F566CF64A72h 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F566CF64A77h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052A0F4F second address: 00000000052A0F57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052A0F57 second address: 00000000052A0F75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F566CF64A73h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052A0F75 second address: 00000000052A0F7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052A0F7B second address: 00000000052A0F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052A0F7F second address: 00000000052A0F83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310687 second address: 00000000053106AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F566CF64A6Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000053106AB second address: 00000000053106F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 4ED35674h 0x00000008 pushfd 0x00000009 jmp 00007F566D59365Dh 0x0000000e jmp 00007F566D59365Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F566D593666h 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 mov ecx, ebx 0x00000024 mov ebx, 5EA2D09Ch 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000053106F4 second address: 00000000053106FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000053106FA second address: 000000000531070C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov bl, 75h 0x0000000e movzx eax, dx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000531070C second address: 0000000005310712 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052A0BDB second address: 00000000052A0C0B instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F566D593668h 0x00000008 or cl, FFFFFFA8h 0x0000000b jmp 00007F566D59365Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052A0C0B second address: 00000000052A0C8F instructions: 0x00000000 rdtsc 0x00000002 mov cx, 5A31h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F566CF64A6Ch 0x0000000f push eax 0x00000010 jmp 00007F566CF64A6Bh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 mov ecx, 4167899Bh 0x0000001c push esi 0x0000001d pushfd 0x0000001e jmp 00007F566CF64A77h 0x00000023 xor ah, FFFFFFFEh 0x00000026 jmp 00007F566CF64A79h 0x0000002b popfd 0x0000002c pop esi 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 jmp 00007F566CF64A77h 0x00000035 push dword ptr [ebp+04h] 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b push edi 0x0000003c pop ecx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052A0C8F second address: 00000000052A0C94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052A0D32 second address: 00000000052A0D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000531039C second address: 0000000005310403 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593661h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F566D593661h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 movzx ecx, dx 0x00000014 mov bh, ECh 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov si, bx 0x0000001f pushfd 0x00000020 jmp 00007F566D593669h 0x00000025 sub ah, FFFFFFC6h 0x00000028 jmp 00007F566D593661h 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310403 second address: 0000000005310413 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F566CF64A6Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E0CA6 second address: 00000000052E0CF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D59365Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F566D593664h 0x00000011 and cl, FFFFFF98h 0x00000014 jmp 00007F566D59365Bh 0x00000019 popfd 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F566D593666h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E0CF3 second address: 00000000052E0D1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A72h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F566CF64A6Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E0D1C second address: 00000000052E0D22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E0D22 second address: 00000000052E0D74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F566CF64A6Ah 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F566CF64A73h 0x00000016 pushfd 0x00000017 jmp 00007F566CF64A78h 0x0000001c sub ch, 00000018h 0x0000001f jmp 00007F566CF64A6Bh 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000053303FD second address: 0000000005330403 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005330403 second address: 0000000005330407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005330407 second address: 000000000533041F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F566D59365Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000533041F second address: 000000000533045B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F566CF64A6Eh 0x0000000f mov ebp, esp 0x00000011 jmp 00007F566CF64A70h 0x00000016 pop ebp 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000533045B second address: 000000000533045F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310D37 second address: 0000000005310D46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310D46 second address: 0000000005310D90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593669h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F566D593661h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 call 00007F566D593663h 0x00000018 pop eax 0x00000019 push ebx 0x0000001a pop esi 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310D90 second address: 0000000005310D96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310D96 second address: 0000000005310DB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D59365Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F566D59365Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310DB8 second address: 0000000005310DC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000531046E second address: 0000000005310474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310474 second address: 00000000053104D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F566CF64A73h 0x00000014 pushfd 0x00000015 jmp 00007F566CF64A78h 0x0000001a or ax, 0A18h 0x0000001f jmp 00007F566CF64A6Bh 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000053104D5 second address: 000000000531052A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593669h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F566D593661h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F566D59365Eh 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a call 00007F566D59365Dh 0x0000001f pop ecx 0x00000020 movsx ebx, si 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310BA2 second address: 0000000005310BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310BA6 second address: 0000000005310BAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310BAC second address: 0000000005310BC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F566CF64A72h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310BC2 second address: 0000000005310BC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E0BAC second address: 00000000052E0BB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E0BB0 second address: 00000000052E0BCD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593669h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E0BCD second address: 00000000052E0C44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 mov al, bh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c push ecx 0x0000000d push edi 0x0000000e pop eax 0x0000000f pop edi 0x00000010 mov ch, B5h 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F566CF64A70h 0x0000001b xor eax, 4A7A4EB8h 0x00000021 jmp 00007F566CF64A6Bh 0x00000026 popfd 0x00000027 movzx ecx, di 0x0000002a popad 0x0000002b xchg eax, ebp 0x0000002c jmp 00007F566CF64A6Bh 0x00000031 mov ebp, esp 0x00000033 pushad 0x00000034 push eax 0x00000035 mov esi, ebx 0x00000037 pop edx 0x00000038 popad 0x00000039 pop ebp 0x0000003a pushad 0x0000003b mov ebx, 767AE63Ah 0x00000040 push eax 0x00000041 push edx 0x00000042 pushfd 0x00000043 jmp 00007F566CF64A71h 0x00000048 jmp 00007F566CF64A6Bh 0x0000004d popfd 0x0000004e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310EC4 second address: 0000000005310EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F566D59365Dh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c mov al, 4Fh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310EDA second address: 0000000005310EEB instructions: 0x00000000 rdtsc 0x00000002 mov edi, 6ABD338Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310EEB second address: 0000000005310EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310EEF second address: 0000000005310EF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310EF5 second address: 0000000005310F1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593669h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310F1A second address: 0000000005310F20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310F20 second address: 0000000005310F45 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593662h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F566D59365Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310F45 second address: 0000000005310F54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005320B71 second address: 0000000005320B77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005320B77 second address: 0000000005320BC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A71h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d movzx eax, bx 0x00000010 mov bx, CEACh 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F566CF64A70h 0x0000001d xor al, FFFFFFC8h 0x00000020 jmp 00007F566CF64A6Bh 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005320BC2 second address: 0000000005320BC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005320BC8 second address: 0000000005320BF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F566CF64A6Fh 0x00000008 pop ecx 0x00000009 mov ax, dx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F566CF64A6Eh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005320BF3 second address: 0000000005320BF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005320BF9 second address: 0000000005320BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005320BFD second address: 0000000005320C01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005320C01 second address: 0000000005320C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F566CF64A75h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005320C21 second address: 0000000005320CA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593661h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ecx 0x0000000c jmp 00007F566D59365Eh 0x00000011 mov eax, dword ptr [76FA65FCh] 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F566D59365Eh 0x0000001d xor esi, 10F0DD78h 0x00000023 jmp 00007F566D59365Bh 0x00000028 popfd 0x00000029 pushad 0x0000002a pushad 0x0000002b popad 0x0000002c mov eax, 08AA84CBh 0x00000031 popad 0x00000032 popad 0x00000033 test eax, eax 0x00000035 jmp 00007F566D59365Eh 0x0000003a je 00007F56DF196334h 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 jmp 00007F566D59365Dh 0x00000048 movzx esi, di 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005320CA2 second address: 0000000005320CB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A6Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005320CB8 second address: 0000000005320CD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593669h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005320CD5 second address: 0000000005320CDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005320CDB second address: 0000000005320CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005320CDF second address: 0000000005320D04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor eax, dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f mov esi, edi 0x00000011 push eax 0x00000012 push edx 0x00000013 mov bx, 8BC2h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005320D04 second address: 0000000005320D6C instructions: 0x00000000 rdtsc 0x00000002 mov cx, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 and ecx, 1Fh 0x0000000b jmp 00007F566D593665h 0x00000010 ror eax, cl 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F566D593663h 0x0000001b sub cl, 0000001Eh 0x0000001e jmp 00007F566D593669h 0x00000023 popfd 0x00000024 call 00007F566D593660h 0x00000029 pop eax 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000053201D0 second address: 00000000053201D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000053201D4 second address: 00000000053201DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000053201DA second address: 00000000053201E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E0016 second address: 00000000052E001C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E001C second address: 00000000052E009E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F566CF64A6Eh 0x00000011 push eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F566CF64A71h 0x00000019 sub cx, C616h 0x0000001e jmp 00007F566CF64A71h 0x00000023 popfd 0x00000024 call 00007F566CF64A70h 0x00000029 pop ecx 0x0000002a popad 0x0000002b xchg eax, ebp 0x0000002c pushad 0x0000002d mov ebx, 16CD8F4Eh 0x00000032 mov ecx, ebx 0x00000034 popad 0x00000035 mov ebp, esp 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F566CF64A73h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E009E second address: 00000000052E00A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E00A4 second address: 00000000052E00AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E00AA second address: 00000000052E00AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E00AE second address: 00000000052E00D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F566CF64A79h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E00D4 second address: 00000000052E0124 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593661h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F566D59365Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F566D59365Ch 0x00000019 jmp 00007F566D593665h 0x0000001e popfd 0x0000001f mov cx, 1DE7h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E0124 second address: 00000000052E012A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E012A second address: 00000000052E012E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E012E second address: 00000000052E01E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A6Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F566CF64A74h 0x00000013 add esi, 6EBCC878h 0x00000019 jmp 00007F566CF64A6Bh 0x0000001e popfd 0x0000001f jmp 00007F566CF64A78h 0x00000024 popad 0x00000025 xchg eax, ebx 0x00000026 jmp 00007F566CF64A70h 0x0000002b push eax 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F566CF64A71h 0x00000033 sub ax, D276h 0x00000038 jmp 00007F566CF64A71h 0x0000003d popfd 0x0000003e jmp 00007F566CF64A70h 0x00000043 popad 0x00000044 xchg eax, ebx 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 call 00007F566CF64A6Dh 0x0000004d pop ecx 0x0000004e movsx edx, cx 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E01E8 second address: 00000000052E0202 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F566D593666h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E0329 second address: 00000000052E032F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E032F second address: 00000000052E0333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E0333 second address: 00000000052E0368 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 pushad 0x0000000a call 00007F566CF64A6Dh 0x0000000f mov edi, ecx 0x00000011 pop esi 0x00000012 mov ax, dx 0x00000015 popad 0x00000016 test esi, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F566CF64A71h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E0368 second address: 00000000052E036E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E036E second address: 00000000052E03A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A6Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F56DEBA2CFDh 0x0000000f jmp 00007F566CF64A70h 0x00000014 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov bl, BEh 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E03A3 second address: 00000000052E0408 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F566D59365Bh 0x00000008 pop esi 0x00000009 call 00007F566D593669h 0x0000000e pop eax 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 je 00007F56DF1D18B2h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F566D593668h 0x00000021 or eax, 3AC85808h 0x00000027 jmp 00007F566D59365Bh 0x0000002c popfd 0x0000002d mov ax, 5E7Fh 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E0408 second address: 00000000052E040E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E040E second address: 00000000052E0412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E0412 second address: 00000000052E0435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [esi+44h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F566CF64A76h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E0435 second address: 00000000052E044C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F566D593661h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E044C second address: 00000000052E0485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 or edx, dword ptr [ebp+0Ch] 0x0000000a jmp 00007F566CF64A6Dh 0x0000000f test edx, 61000000h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F566CF64A78h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E0485 second address: 00000000052E048B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E048B second address: 00000000052E049C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F566CF64A6Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052E049C second address: 00000000052E04CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F56DF1D183Ah 0x0000000e jmp 00007F566D59365Dh 0x00000013 test byte ptr [esi+48h], 00000001h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F566D59365Dh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052F008E second address: 00000000052F0093 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052F0289 second address: 00000000052F02C8 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 196F1867h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F566D59365Ch 0x0000000f adc cx, 9E98h 0x00000014 jmp 00007F566D59365Bh 0x00000019 popfd 0x0000001a popad 0x0000001b mov edx, dword ptr [ebp+0Ch] 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F566D593660h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052F02C8 second address: 00000000052F02CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052F02CE second address: 00000000052F02D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052F02D4 second address: 00000000052F02D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052F02D8 second address: 00000000052F02DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052F02DC second address: 00000000052F0332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 pushad 0x0000000a mov esi, 48A2D141h 0x0000000f pushad 0x00000010 mov cl, BBh 0x00000012 pushfd 0x00000013 jmp 00007F566CF64A79h 0x00000018 and si, 0046h 0x0000001d jmp 00007F566CF64A71h 0x00000022 popfd 0x00000023 popad 0x00000024 popad 0x00000025 push eax 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F566CF64A6Dh 0x0000002e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052F0332 second address: 00000000052F0362 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 5190AFE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F566D59365Ch 0x0000000e popad 0x0000000f xchg eax, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F566D593667h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052F0362 second address: 00000000052F0395 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b jmp 00007F566CF64A6Ch 0x00000010 mov dword ptr [esp], ebx 0x00000013 jmp 00007F566CF64A70h 0x00000018 push dword ptr [ebp+14h] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052F0395 second address: 00000000052F0399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052F0399 second address: 00000000052F03B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052F03B6 second address: 00000000052F03C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F566D59365Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000052F0470 second address: 00000000052F0476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000053517EF second address: 00000000053518D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593669h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b call 00007F566D59365Ch 0x00000010 push esi 0x00000011 pop edi 0x00000012 pop esi 0x00000013 pushfd 0x00000014 jmp 00007F566D593667h 0x00000019 sub ecx, 01A9AE0Eh 0x0000001f jmp 00007F566D593669h 0x00000024 popfd 0x00000025 popad 0x00000026 push eax 0x00000027 jmp 00007F566D593661h 0x0000002c xchg eax, ebp 0x0000002d pushad 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007F566D59365Ah 0x00000035 add si, 77B8h 0x0000003a jmp 00007F566D59365Bh 0x0000003f popfd 0x00000040 mov di, ax 0x00000043 popad 0x00000044 pushfd 0x00000045 jmp 00007F566D593664h 0x0000004a and si, 3218h 0x0000004f jmp 00007F566D59365Bh 0x00000054 popfd 0x00000055 popad 0x00000056 mov ebp, esp 0x00000058 jmp 00007F566D593666h 0x0000005d push 0000007Fh 0x0000005f pushad 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000053518D1 second address: 00000000053518D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000053518D5 second address: 0000000005351939 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D59365Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F566D593662h 0x0000000f sbb si, B6D8h 0x00000014 jmp 00007F566D59365Bh 0x00000019 popfd 0x0000001a popad 0x0000001b push 00000001h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F566D59365Bh 0x00000026 add cl, FFFFFF9Eh 0x00000029 jmp 00007F566D593669h 0x0000002e popfd 0x0000002f mov edx, eax 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005351939 second address: 0000000005351986 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F566CF64A79h 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push dword ptr [ebp+08h] 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F566CF64A6Dh 0x00000018 or cl, 00000036h 0x0000001b jmp 00007F566CF64A71h 0x00000020 popfd 0x00000021 push eax 0x00000022 push edx 0x00000023 mov al, 29h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035E02F second address: 000000000035E04B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593668h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035E04B second address: 000000000035E050 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000035E3A3 second address: 000000000035E3A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310861 second address: 0000000005310867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310867 second address: 000000000531086B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000531086B second address: 000000000531088C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F566CF64A6Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000531088C second address: 0000000005310890 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310890 second address: 0000000005310896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005310896 second address: 000000000531089C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000531089C second address: 00000000053108A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360CE9 second address: 0000000005360CED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360CED second address: 0000000005360CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360CF3 second address: 0000000005360D29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D59365Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F566D59365Bh 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F566D593665h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360D29 second address: 0000000005360D30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360D30 second address: 0000000005360D4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F566D593664h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360D4F second address: 0000000005360D9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007F566CF64A6Dh 0x0000000b adc ax, 5BF6h 0x00000010 jmp 00007F566CF64A71h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push dword ptr [ebp+0Ch] 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f movsx edi, cx 0x00000022 jmp 00007F566CF64A74h 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360D9A second address: 0000000005360DA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360DA0 second address: 0000000005360DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360DA4 second address: 0000000005360DC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D59365Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360DC0 second address: 0000000005360DD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A6Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360DD3 second address: 0000000005360DFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 99h 0x00000005 mov ch, EDh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a call 00007F566D593659h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F566D593665h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360DFF second address: 0000000005360E03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360E03 second address: 0000000005360E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360E09 second address: 0000000005360E73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F566CF64A6Ah 0x00000008 pop esi 0x00000009 mov ah, bl 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F566CF64A73h 0x00000016 or cx, 46AEh 0x0000001b jmp 00007F566CF64A79h 0x00000020 popfd 0x00000021 push eax 0x00000022 push edx 0x00000023 pushfd 0x00000024 jmp 00007F566CF64A6Eh 0x00000029 xor ax, 0028h 0x0000002e jmp 00007F566CF64A6Bh 0x00000033 popfd 0x00000034 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360E73 second address: 0000000005360EF9 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F566D593668h 0x00000008 add si, B288h 0x0000000d jmp 00007F566D59365Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jmp 00007F566D593669h 0x0000001f mov eax, dword ptr [eax] 0x00000021 pushad 0x00000022 movsx edx, cx 0x00000025 jmp 00007F566D593668h 0x0000002a popad 0x0000002b mov dword ptr [esp+04h], eax 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 jmp 00007F566D593663h 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360F39 second address: 0000000005360F3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360F3D second address: 0000000005360F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360F43 second address: 0000000005360F48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360F48 second address: 0000000005360F6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 movzx eax, al 0x0000000c pushad 0x0000000d mov ax, B281h 0x00000011 mov ecx, 1136F5BDh 0x00000016 popad 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov edi, 42B15198h 0x00000020 push edi 0x00000021 pop eax 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360F6B second address: 0000000005360F71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005360F71 second address: 0000000005360F75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 00000000053206F6 second address: 0000000005320713 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566CF64A79h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 0000000005320713 second address: 000000000532077A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F566D593661h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F566D59365Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov eax, edi 0x00000013 mov esi, ebx 0x00000015 popad 0x00000016 xchg eax, esi 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F566D593665h 0x0000001e adc ax, 30A6h 0x00000023 jmp 00007F566D593661h 0x00000028 popfd 0x00000029 push esi 0x0000002a movsx edi, cx 0x0000002d pop ecx 0x0000002e popad 0x0000002f push ecx 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe RDTSC instruction interceptor: First address: 000000000532077A second address: 000000000532077E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Special instruction interceptor: First address: 00000000001AFC44 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Special instruction interceptor: First address: 00000000003DB535 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 00000000006FFC44 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Special instruction interceptor: First address: 000000000092B535 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 00000000010BFC44 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Special instruction interceptor: First address: 00000000012EB535 instructions caused by: Self-modifying code
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Special instruction interceptor: First address: 0000000000E8BB2D instructions caused by: Self-modifying code
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Special instruction interceptor: First address: 000000000103405E instructions caused by: Self-modifying code
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Special instruction interceptor: First address: 00000000010C3E48 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_05280536 rdtsc 0_2_05280536
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1539 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1532 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1583 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1556 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1594 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1560
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1526
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1583
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1546
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1513
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Window / User API: threadDelayed 4374
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\M2ZJsqaj4w0ejNj1ZjmR.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\niks[1].exe Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\niks[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\odq7pDl9CbKN8ytjPilL.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\plaza[1].exe Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidiL3Ewlk3eLqUV\1V9pvgNtHdfeQ8jORjMS.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\Zjn91qMhbLU5NsMO5rSM.exe Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidiL3Ewlk3eLqUV\KMO45Hpdl31XslGofw5s.exe Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\heidiL3Ewlk3eLqUV\q96TsIrSnwwVcxc6LZrs.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\ladas[1].exe Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ladas[1].exe Jump to dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\plaza[1].exe Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe TID: 4112 Thread sleep count: 132 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe TID: 4112 Thread sleep time: -264132s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe TID: 3624 Thread sleep count: 124 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe TID: 3624 Thread sleep time: -248124s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe TID: 572 Thread sleep time: -48000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe TID: 6364 Thread sleep count: 101 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe TID: 3792 Thread sleep count: 124 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe TID: 3792 Thread sleep time: -248124s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe TID: 6364 Thread sleep count: 74 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe TID: 3664 Thread sleep count: 94 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe TID: 3664 Thread sleep time: -188094s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe TID: 5836 Thread sleep count: 125 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe TID: 5836 Thread sleep time: -250125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe TID: 3288 Thread sleep count: 126 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe TID: 3288 Thread sleep time: -252126s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe TID: 4788 Thread sleep count: 127 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe TID: 4788 Thread sleep time: -254127s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe TID: 5684 Thread sleep count: 137 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe TID: 5684 Thread sleep time: -274137s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4524 Thread sleep count: 92 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4524 Thread sleep time: -184092s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4308 Thread sleep count: 1539 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4308 Thread sleep time: -3079539s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5664 Thread sleep time: -48000s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4456 Thread sleep count: 88 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6004 Thread sleep time: -52026s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4448 Thread sleep count: 1532 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4448 Thread sleep time: -3065532s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1532 Thread sleep count: 1583 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1532 Thread sleep time: -3167583s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6192 Thread sleep count: 1556 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6192 Thread sleep time: -3113556s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1488 Thread sleep count: 1594 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1488 Thread sleep time: -3189594s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6476 Thread sleep count: 33 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6476 Thread sleep time: -66033s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4204 Thread sleep count: 1560 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4204 Thread sleep time: -3121560s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2200 Thread sleep time: -36000s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3504 Thread sleep count: 81 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2612 Thread sleep count: 1526 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2612 Thread sleep time: -3053526s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6656 Thread sleep count: 118 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6656 Thread sleep time: -236118s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7096 Thread sleep count: 1583 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7096 Thread sleep time: -3167583s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 320 Thread sleep count: 1546 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 320 Thread sleep time: -3093546s >= -30000s
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1120 Thread sleep count: 1513 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1120 Thread sleep time: -3027513s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4764 Thread sleep count: 76 > 30
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe TID: 7432 Thread sleep time: -43740s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7540 Thread sleep count: 60 > 30
Source: C:\Windows\System32\svchost.exe TID: 8708 Thread sleep time: -30000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Thread sleep count: Count: 4374 delay: -10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0007C050 FindFirstFileA,FindNextFileA,SetFileAttributesA,RemoveDirectoryA,__Mtx_unlock, 0_2_0007C050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0014B4E5 recv,FindFirstFileExW, 0_2_0014B4E5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\ShaderCache\
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Subresource Filter\
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\SafetyTips\
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\
Source: MPGPH131.exe, 00000006.00000002.3327672858.0000000006120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: formVMware20,11696428655
Source: firefox.exe, 00000028.00000003.2408909930.000002DDD9A76000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2409610072.000002DDD9A76000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2986469421.000002DDD9A72000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2406616011.000002DDD9A76000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW0r
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: MPGPH131.exe, 00000006.00000002.3327672858.0000000006120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,1169642865x
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: MPGPH131.exe, 00000006.00000003.2135141879.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000B
Source: MPGPH131.exe, 00000006.00000002.3327672858.0000000006120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ccount.microsoft.com/profileVMware20,11696428655u
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.0000000001311000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.000000000135D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3315495326.0000000000FAD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3315495326.0000000000FF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3315495326.0000000000FDA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3182954510.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2399410528.0000000001715000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2969389417.0000000000A70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3314020418.000001261342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3314212475.000001261343F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: MPGPH131.exe, 00000006.00000002.3327672858.0000000006120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696428655
Source: firefox.exe, 00000028.00000002.3002620344.000002DDE4903000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: RageMP131.exe, 0000000D.00000002.2969389417.0000000000A0B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: MPGPH131.exe, 00000006.00000002.3327672858.0000000006120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696
Source: MPGPH131.exe, 00000007.00000003.2258470802.00000000060AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMCitrio
Source: RageMP131.exe, 00000008.00000003.2228908370.00000000016E6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000007.00000002.3182954510.00000000013D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW<d
Source: MPGPH131.exe, 00000006.00000002.3327672858.0000000006120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r global passwords blocklistVMware20,11696428655
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2983906707.000000000133A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: MPGPH131.exe, 00000006.00000003.2135141879.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}h
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}W
Source: MPGPH131.exe, 00000006.00000002.3327672858.0000000006120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ra Change Transaction PasswordVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2262042724.00000000060B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}-1028231-15-52,P-X-1087217-10-23,P-X-1110552-2-3,P-X-1108288-1-7,P-X-1100779-2-7,P-X-1092122-2-9,P-X-1096650-2-6,P-X-1105131-2-6,P-X-1097232-3-13,P-X-1104872-1-9,P-X-1103964-2-3,P-X-1099080-1-9,P-X-1089758-2-11,P-X-1102990-2-3,P-X-1102008-2-7,P-X-1063575-3-11,P-X-1102153-2-4,P-X-1071006-1-5,P-X-1100769-1-3,P-X-1099659-1-3,P-X-1095668-2-7,P-X-1097226-1-5,P-X-1083898-4-17,P-X-1095524-1-3,P-X-1063514-2-6,P-X-1094047-1-6,P-X-1092821-2-3,P-X-1092738-2-3,P-X-1092158-1-3,P-X-1068889-5-13,P-X-1086546-21-84,P-X-1091091-2-4,P-X-1089774-2-7,P-X-1089256-2-5,P-X-1089119-2-6,P-X-1013679-1-5,P-X-1087661-2-6,P-X-1085156-1-3,P-X-1082985-5-11,P-X-1082074-3-7,P-X-1047521-4-21,P-X-1080712-1-5,P-X-1079473-2-6,P-X-1048662-1-13,P-X-1077532-1-5,P-X-1077147-1-9,P-X-1077361-1-3,P-X-1056699-36-118,P-X-1067018-2-4,P-X-1043380-1-18,P-X-1071593-2-4,P-X-1070560-4-8,P-X-1070133-1-6,P-X-1070026-3-7,P-X-1056537-1-9,P-X-1067718-1-3,P-X-1066229-1-7,P-X-1050101-1-9,P-X-1061902-3-17,P-X-1053062-1-5,P-X-1058142-1-7,P-X-1059966-1-9,P-X-1052772-23-44,P-X-1043219-25-50,P-X-1054089-1-3,P-X-1052254-4-10,P-X-1021723-3-16,P-X-1048870-3-8,P-X-1048071-1-5,P-X-1047513-1-5,P-X-1026324-3-20,P-X-1010579-1-9,P-X-1008556-23-99,P-X-1037615-1-7,P-X-1006190-9-15,P-X-1036081-1-3,P-X-1027402-7-15,P-X-1020537-2-6,P-X-1012411-2-9,P-X-100876-37-228,P-X-117040-1-5,P-X-113035-2-9,P-X-97954-9-89,P-X-91270-7-51,P-R-1089873-14-4,P-R-1080087-6-13,P-R-1075857-18-21,P-R-1068861-4-10,P-R-1047495-8-15,P-R-1044077-26-18,P-R-1008497-12-13,P-R-87486-2-16,P-R-86300-4-56,P-R-83096-12-34,P-R-67067-6-47,gb1ee141:447804,3j0gg466:431877,resetbing:447060,c1i80862:426410,wponsat2_50:441048,jj2e6986:422781,995h3546:443806,9djb2419:437170,bfcg7827:432826,t9qranimationemailautofill:439591,70030996:441561,ebd3g171:445684,tp-long:439700,b01ji385:438026,i1g2g604:437359,9ffeg962:402950,e37a0582:438880,cf:403575,3da3b319:434919,d68dd294:435290,web-select-unship:450753,8j079527:448887,i2e7g608:426901,6h
Source: MPGPH131.exe, 00000006.00000002.3327672858.0000000006120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: o.inVMware20,11696428655~
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2973463607.0000000000330000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.3308743125.0000000000880000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3180807981.0000000000880000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2396054485.0000000001240000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000D.00000002.2980573611.0000000001240000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: RageMP131.exe, 00000008.00000002.2399410528.00000000016D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: RageMP131.exe, 00000008.00000002.2399410528.00000000016D5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8
Source: MPGPH131.exe, 00000006.00000002.3315495326.0000000000FBB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: RageMP131.exe, 0000000D.00000003.2422505089.0000000000A3C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000006.00000002.3327672858.0000000006120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: MPGPH131.exe, 00000006.00000003.2135141879.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: MPGPH131.exe, 00000006.00000002.3327672858.0000000006120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: MPGPH131.exe, 00000006.00000002.3327672858.0000000006120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428
Source: MPGPH131.exe, 00000007.00000003.2135431030.000000000138E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: MPGPH131.exe, 00000006.00000002.3327672858.0000000006120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: comVMware20,11696428655o
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: RageMP131.exe, 0000000D.00000002.2969389417.0000000000A0B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&b
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: MPGPH131.exe, 00000006.00000002.3327672858.0000000006120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rootpagecomVMware20,11696428655o
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: RageMP131.exe, 0000000D.00000003.2422505089.0000000000A44000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}A
Source: MPGPH131.exe, 00000006.00000002.3327672858.0000000006120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pageformVMware20,11696428655
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: firefox.exe, 00000028.00000003.2406616011.000002DDD9ABB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000002.2986469421.000002DDD9ABB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2408279262.000002DDD9ABB000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000028.00000003.2408909930.000002DDD9ABB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2089743841.0000000001326000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-
Source: MPGPH131.exe, 00000006.00000002.3327672858.0000000006120000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tive Brokers - non-EU EuropeVMware20,11696428655
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2195437533.0000000006216000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}MdE8+GeJZtXTPROjLLZ0exdRMCjJJBtgwH3UFESQESWTGo/4pANxWleUaXjqk2PcqqrWpQ3hgZatWnpSoW/j9Sa61kw1Aho3rGmNGpMrKqZ9myHLRblZaqohK9Uz2bpiG3dJANRWvpJDuWqqk0iLoDHUqgA6d61hxTbxSQHUe25aZdth3LIKPzOeAMKkjaGsPydktDUzMsg3psGBSDZkavzIZBtSaChmg6LbM5jml0ng3TbHeAIamdicTE2iN9pNQEMKneEgCNFL1tE13WMQvNMyZKaZtAtTS786wYdluebdvOyKhtKtumQa6jjOxqjA791xozrGjprTHYjmpwZ6ufFcVpqahopuW0x2iZZntabUMxzJZKturYBqmk1C/gnpiFqkPdMqAfVKgJMA9qqwfL0S2t1YNum9yZ60FalqF1GCyFW9Gpn2k9NSph1hxnpEFLxa4MZ8mK3bKKrmnc12oCSzGcjqtAigyt63YYRmvNnCXLcIVmlIZpaG2dTCjZmTlTVZ1mdcmGDFO36RVH5qulJtBksz1ow1Z0tS0Azmq2BBiqhdWlaiO9GaNKM4vJkSsaHdPdNpSqGjr5b0WAGAEJTeDBXNiIg1ptBp0mr6UVJlfRWs+qqak0+WolEZ1wd6rUhP+Q+2kjp3qjWSYCVTMwbooReCqZminb7elVLR2mshoCVSbbt1xY1Xl0bPq0MFWgUMthKJasy604oMmaUdM7lgOjOCO7fFRUWMAaGeS+PDU4NtwVy1qvXlAHI1P46xMP37YB9Wzh8k9i3ZpKZegnbjfdMUa2GAN/ocONRxRd7PIN0oQDKWol17awMCgcmuLR1GRyUKN81GTKMXAhoRYc3iSldEtaLxXGFF250HXLlnVJe5XXa900L3RNsS1LSlnG8mUQrYlANmXJUwIbkUW90FVTh8ofSRxlbq7+MGSQkBNIr68qMx0bMlTVshXJcYyNhlCEdiwsU3L81yVmwUEfFqwtLVfe2rJVC88IeaaUO/9M3SjYunkQR2zrBqFb5PEqCENQOIajSFhgGgVk6tEwFYktfW2tWDQKw0S0y5NRGJPOmgNSaSkrr4FmGxfUPzoIlLW6NmWdFNAMR3JWK7Z2aEzIIlgQTLNcrCmV6G0bY16hhfKHpPmuttS46rqjOJJv2r6vOiTJUB1Ygy1HGQuZl4+KKNsEyYVuYMo1yX5FKDNojFg1tiUFKrOggk1mRP6WzI3CNsiRNCLkUok5qmfa1K6g3ZAU2fVtXZapYxPPjq97rqNjSIhN4A98FuXBaucv6Q0WlvThhiHLk+wjDKK3IvHdnInxO1Lw6jumpUFrwg6mpHi6rds0KgXSNQnh0A50DZ1RVrIkS18ju9kWKQsXlzSPvcIH7AsNi8expGWgr3SHrGAgsOjSq+7LK1N3uHJY7UsyKHDLheYAzFiS43km8qWGdgXxXPLjj8hN0/gj89I4DD+CfJOnwXrN0oh9XGgwnKxKESBZGMMnojURxEWex+t1SIPC3JjSylr6a1Mhx8SaVSTfsl/XCGGwKJzSkEzZRaCVyWdMeJHEbB1QzKGpRIaAD/lEjPyHqZRcY629KhaYscBtGxpu2c/EjTJ45I93zBIymaVKGcyOt8xzs83S9d68MPDe0KwhV2P1Ml9XMWg4OeRn7jtUz3YsK4ILhC1VcyQ5CBjCEwxp2Roc81V79QPdgqERSU1Dgtl1iIAMYDa4l+wxRcUUogNSHR3ImmIRt6FjBAaMauv0DPMacE7HWZkmBqFYtA7flR+wZxTDTwKPLy6sbbJnVnAldU1StPXrCtANCmJlOpLqbVauqdOzBk3QYcZUxaZmGEoKDI9tLMO40OA+WDiJl6SxX3j5cpeyNfvJoiJDG6ZPllSX6cBE5OHILXBC3VcZAAh5uG3Q2PzANlQTY5MVckrD3qwceLxmwPE1dJ24GaYStoAPGdIKnhJ/uMuQYdEhCl1omqOpqqSwJXN1Ezo5cGZbslR/4wMbQg/AXFtaGiZWro15pyBiwSrKDzf21mlcJJnqRr7GOR1V8m32SlN3oanITKRBHr85JmlESEryGUsYC+GFsKFyAZhtYE5ZnjLmJsG7AhVkgoHS5tWXLY2eaWnakrnaII2YEIyB6rK0zliKwUEClQvoh0UbTDiaUWloUmAHGICBWKADB2DtqxpTYbML1dYQHCR15W3wQr2gBIvli3mOI6x6RpHoZ566Hs017ENAX8IbrCs33AY+ouyaaWDD3GnSJt+Gq9RdbxFJPBiXcTZ4s2oD7pBab2Gsk3shNGowD8uCdcTSbBOnjLpDSjNodmzyRR+zAvNfKI5iwgTMNy0VD1ipjsQjUkBuaVCo85m/xhRfKLaDoFpXUaIGa+ouhaJRhVDoWTMN2yxhl3hWZcIbevWMGbfazyrgawkmxLOh621+IByjLR9AzCqRwBMv1QyNErVTPsMpTLUlD2gFKEyv5FGC4kiiwgLAwhzWWdWzAYdsP8tIik1/CDF41+hHz1R3Ar0YDbrgOK9BFxYnqYaAhK3xmqNiMBBGqMsKR2iOwyGaUvWhmSaHO9WYZZ0KBkBZAU6QXC3CP4oqHlHfmgR3FKt8ppoKhWQJXXQEN+DDkV0+mqppjHSFAEw9zVcxMnw05s6WtapsLGadZqPsiqzraBWopWdVNx2t9Wwjo9PQhbkRUHk5V0ImVAG8OisVRbGnGlWtBL01hRQDxOKPqCh0rSyLoLUMXQi2ikbkPHiNBSgoHuG1DhVZlDhpO4Aqeq2G91cjx9bgNcCYjWffBGmWPxVRy7dheBTMYKtmBnPNixKthIkIkio5o2IciNlfKIQxTY6aOemc8SXNA37bvtCr8X5kRsuuHYeeGs9HzrfJz8VEIN3aak2J/MjXkPr97M8ziat1dvHH2djz4iLK79g7C
Source: MPGPH131.exe, 00000007.00000002.3182954510.0000000001350000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(h=
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2973463607.0000000000330000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3308743125.0000000000880000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3180807981.0000000000880000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2396054485.0000000001240000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000D.00000002.2980573611.0000000001240000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: MPGPH131.exe, 00000007.00000002.3211469180.00000000060A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}FilesPSModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
Source: MPGPH131.exe, 00000007.00000003.2238284042.00000000060B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Thread information set: HideFromDebugger
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_052B0391 Start: 052B0538 End: 052B03D5 0_2_052B0391
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_04E70CDA Start: 04E70CE9 End: 04E70CA9 6_2_04E70CDA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_04F30D3B Start: 04F30DC5 End: 04F30DBF 6_2_04F30D3B
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Open window title or class name: regmonclass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Open window title or class name: gbdyllo
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Open window title or class name: procmon_window_class
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Open window title or class name: ollydbg
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Open window title or class name: filemonclass
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe File opened: NTICE
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe File opened: SICE
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Process queried: DebugPort
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Process queried: DebugPort
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Process queried: DebugPort
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Process queried: DebugPort
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Process queried: DebugPort
Source: C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_05280536 rdtsc 0_2_05280536
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0008FAD0 mov eax, dword ptr fs:[00000030h] 0_2_0008FAD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_00084B00 mov eax, dword ptr fs:[00000030h] 0_2_00084B00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005DFAD0 mov eax, dword ptr fs:[00000030h] 6_2_005DFAD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_005D4B00 mov eax, dword ptr fs:[00000030h] 6_2_005D4B00
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe "C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Process created: unknown unknown Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: unknown unknown
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.youtube.com/
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.linkedin.com/login
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://accounts.google.com/
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video
Source: C:\Users\user\AppData\Local\Temp\heidiqKHFva9A6SyV\uZN1wC5UClYhYsdlFwua.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2225887227.00000000065B7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2426655207.0000000006638000.00000004.00000020.00020000.00000000.sdmp, uZN1wC5UClYhYsdlFwua.exe, 0000000A.00000000.2265645503.0000000000C32000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.2973463607.0000000000330000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.3308743125.0000000000880000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: mProgram Manager
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Code function: 0_2_0014CE0B GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_0014CE0B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 47.2.MSIUpdaterV131.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 48.2.MSIUpdaterV131.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000030.00000002.2977016752.0000000000E21000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000002.2989083524.0000000000E21000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000002F.00000003.2497904829.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000030.00000003.2494934108.0000000005010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected RisePro Stealer
Source: Yara match File source: 00000007.00000002.3182954510.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7108, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 2952, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 1576, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\4Qyvog5i9OC8XjvXu8RG7XR.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\qeHT0oUWfbW5FkMz6HD8K_u.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: MPGPH131.exe, 00000007.00000002.3182954510.000000000142F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: t\user\AppData\Roaming\Electrum-LTC\wallets
Source: MPGPH131.exe, 00000007.00000003.2257754336.0000000006109000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000003.2150724292.00000000013C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Liberty Extension
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.3020835870.00000000062DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: u\user\AppData\Roaming\Ethereum\wallets
Source: MPGPH131.exe, 00000007.00000003.2257754336.0000000006109000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe, 00000000.00000002.3020835870.00000000062DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: u\user\AppData\Roaming\Ethereum\wallets
Source: MPGPH131.exe, 00000007.00000003.2257754336.0000000006109000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: firefox.exe, 00000028.00000002.3102724208.000007C490404000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: OSKeyStore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\cookies.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\LocalPrefs.json Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000007.00000002.3182954510.00000000013D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7108, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 2952, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 1576, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\4Qyvog5i9OC8XjvXu8RG7XR.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\qeHT0oUWfbW5FkMz6HD8K_u.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1396489 Sample: SecuriteInfo.com.Win32.Troj... Startdate: 21/02/2024 Architecture: WINDOWS Score: 100 117 Antivirus detection for URL or domain 2->117 119 Yara detected RisePro Stealer 2->119 121 Yara detected Amadeys stealer DLL 2->121 123 3 other signatures 2->123 8 SecuriteInfo.com.Win32.TrojanX-gen.26349.27730.exe 2 93 2->8         started        13 MPGPH131.exe 2->13         started        15 MPGPH131.exe 25 2->15         started        17 10 other processes 2->17 process3 dnsIp4 89 185.215.113.46 WHOLESALECONNECTIONSNL Portugal 8->89 91 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->91 93 193.233.132.62 FREE-NET-ASFREEnetEU Russian Federation 8->93 71 C:\Users\user\...\uZN1wC5UClYhYsdlFwua.exe, PE32 8->71 dropped 73 C:\Users\user\...\odq7pDl9CbKN8ytjPilL.exe, PE32 8->73 dropped 75 C:\Users\user\...\Zjn91qMhbLU5NsMO5rSM.exe, PE32 8->75 dropped 83 13 other malicious files 8->83 dropped 129 Detected unpacking (changes PE section rights) 8->129 131 Binary is likely a compiled AutoIt script file 8->131 133 Tries to steal Mail credentials (via file / registry access) 8->133 153 5 other signatures 8->153 19 uZN1wC5UClYhYsdlFwua.exe 8->19         started        22 schtasks.exe 1 8->22         started        24 schtasks.exe 1 8->24         started        35 2 other processes 8->35 77 C:\Users\user\...\q96TsIrSnwwVcxc6LZrs.exe, PE32 13->77 dropped 79 C:\Users\user\...\gkUaYYAOOAAa9lIItUw6.exe, PE32 13->79 dropped 81 C:\Users\user\...\KMO45Hpdl31XslGofw5s.exe, PE32 13->81 dropped 85 8 other malicious files 13->85 dropped 135 Found many strings related to Crypto-Wallets (likely being stolen) 13->135 137 Tries to harvest and steal browser information (history, passwords, etc) 13->137 139 Hides threads from debuggers 13->139 141 Multi AV Scanner detection for dropped file 15->141 143 Machine Learning detection for dropped file 15->143 145 Tries to evade debugger and weak emulator (self modifying code) 15->145 95 23.51.58.94 TMNET-AS-APTMNetInternetServiceProviderMY United States 17->95 97 127.0.0.1 unknown unknown 17->97 147 Antivirus detection for dropped file 17->147 149 Tries to detect sandboxes and other dynamic analysis tools (window names) 17->149 151 Tries to detect sandboxes / dynamic malware analysis system (registry check) 17->151 26 firefox.exe 17->26         started        29 msedge.exe 17->29         started        31 firefox.exe 17->31         started        33 firefox.exe 17->33         started        file5 signatures6 process7 dnsIp8 125 Binary is likely a compiled AutoIt script file 19->125 37 chrome.exe 19->37         started        40 chrome.exe 19->40         started        42 chrome.exe 19->42         started        54 10 other processes 19->54 44 conhost.exe 22->44         started        46 conhost.exe 24->46         started        105 142.250.80.46 GOOGLEUS United States 26->105 107 172.253.115.84 GOOGLEUS United States 26->107 113 3 other IPs or domains 26->113 127 Found many strings related to Crypto-Wallets (likely being stolen) 26->127 48 firefox.exe 26->48         started        109 13.107.21.200 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->109 111 13.107.21.239 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->111 115 29 other IPs or domains 29->115 50 conhost.exe 35->50         started        52 conhost.exe 35->52         started        signatures9 process10 dnsIp11 87 239.255.255.250 unknown Reserved 37->87 56 chrome.exe 37->56         started        59 chrome.exe 40->59         started        61 chrome.exe 42->61         started        63 chrome.exe 54->63         started        65 msedge.exe 54->65         started        67 msedge.exe 54->67         started        69 msedge.exe 54->69         started        process12 dnsIp13 99 13.107.42.14 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 56->99 101 142.250.176.196 GOOGLEUS United States 56->101 103 16 other IPs or domains 56->103
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.217.132.134
 unknown United States
15169 GOOGLEUS false
185.215.113.46
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
157.240.241.35
 unknown United States
32934 FACEBOOKUS false
142.250.80.67
 unknown United States
15169 GOOGLEUS false
23.54.161.105
 unknown United States
20940 AKAMAI-ASN1EU false
162.159.61.3
 unknown United States
13335 CLOUDFLARENETUS false
142.250.65.238
 unknown United States
15169 GOOGLEUS false
142.250.80.3
 unknown United States
15169 GOOGLEUS false
40.71.99.188
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
142.251.40.174
 unknown United States
15169 GOOGLEUS false
157.240.241.1
 unknown United States
32934 FACEBOOKUS false
204.79.197.239
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
172.217.165.130
 unknown United States
15169 GOOGLEUS false
1.1.1.1
 unknown Australia
13335 CLOUDFLARENETUS false
142.250.72.106
 unknown United States
15169 GOOGLEUS false
172.217.165.138
 unknown United States
15169 GOOGLEUS false
142.250.65.174
 unknown United States
15169 GOOGLEUS false
13.107.21.239
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
172.253.62.84
 unknown United States
15169 GOOGLEUS false
13.107.42.16
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
13.107.42.14
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
152.199.24.163
 unknown United States
15133 EDGECASTUS false
142.250.80.78
 unknown United States
15169 GOOGLEUS false
142.251.40.142
 unknown United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
31.13.71.7
 unknown Ireland
32934 FACEBOOKUS false
13.107.22.239
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
142.250.72.110
 unknown United States
15169 GOOGLEUS false
142.250.65.246
 unknown United States
15169 GOOGLEUS false
142.250.65.202
 unknown United States
15169 GOOGLEUS false
44.240.103.52
 unknown United States
16509 AMAZON-02US false
172.253.115.84
 unknown United States
15169 GOOGLEUS false
142.251.163.84
 unknown United States
15169 GOOGLEUS false
142.250.80.46
 unknown United States
15169 GOOGLEUS false
34.117.186.192
 unknown United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
23.96.180.189
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
31.13.71.36
 unknown Ireland
32934 FACEBOOKUS false
142.251.40.227
 unknown United States
15169 GOOGLEUS false
13.107.21.200
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
152.195.19.97
 unknown United States
15133 EDGECASTUS false
142.251.32.99
 unknown United States
15169 GOOGLEUS false
23.51.58.94
 unknown United States
4788 TMNET-AS-APTMNetInternetServiceProviderMY false
142.250.80.86
 unknown United States
15169 GOOGLEUS false
142.251.40.225
 unknown United States
15169 GOOGLEUS false
142.250.64.74
 unknown United States
15169 GOOGLEUS false
142.251.32.102
 unknown United States
15169 GOOGLEUS false
172.64.41.3
 unknown United States
13335 CLOUDFLARENETUS false
13.107.9.158
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
142.250.176.196
 unknown United States
15169 GOOGLEUS false
142.251.35.170
 unknown United States
15169 GOOGLEUS false
142.250.65.195
 unknown United States
15169 GOOGLEUS false
142.251.40.238
 unknown United States
15169 GOOGLEUS false
142.251.40.234
 unknown United States
15169 GOOGLEUS false
193.233.132.62
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false
34.107.221.82
 unknown United States
15169 GOOGLEUS false
142.250.81.227
 unknown United States
15169 GOOGLEUS false
142.250.80.118
 unknown United States
15169 GOOGLEUS false
142.251.35.164
 unknown United States
15169 GOOGLEUS false
142.250.31.84
 unknown United States
15169 GOOGLEUS false

Private

IP
127.0.0.1